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Introducing Appro XtremeServers & Workstation 
with 8 DIMM Sockets per CPU 


i 2-way or 4-way, Single or Dual-Core AMD Opteron™ processors 

mg Largest memory capacity - 8 DIMM Sockets per GPU, up to 128GB 

@ PCI-Express technology to increase I/O bandwidth and reduce system latency 
@ Outstanding Remote Management - IPMI 2.0 compliant 


li Cable-free design, ready to run, simple to install, service and maintain 


Support for Windows® or Linux OS 


li Ideal for memory-intensive and I/O-intensive applications 
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1U / 2U / 3U Servers 
and Workstation 


AMD Opteron™ Processors - AMD64 dual-core technology reduces memory latency and increases data throughput 
- Dual-core processors with Direct Connect Architecture deliver the best performance 
per watt with little or no increase in power consumption or heat dissipation. 


Appro delivers high-performance computing solutions to help you maximize productivity AMD 
for a solid ROI. On-site maintenance and installation services are also available. 
A For more information, please visit www.appro.com 4 > 
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Discover how the combined power of Avocent and Cyclades IT infrastructure An Avocent. Company 
management solutions can take you and your data center to the next level. KVM, 
serial and power — all over IP. Plus, Intelligent Platform Management Interface 


(IPMI) and embedded KVM. The Power of Being There® Times two. 


Visit www.avocent.com/powerx2 
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© 2006 Coyote Point Systems, Inc. All Rights Reserved. 


CONTENT 


JUNE 2006 
Issue 146 


COLUMNS 


24 REUVEN M. LERNER’S 
AT THE FORGE 
Google Maps 


28 MARCEL GAGNE’S 
COOKING WITH LINUX 
If Only You Could Restore Wine 


34 DAVE TAYLOR’S 
WORK THE SHELL 
Coping with Aces 


38 MICK BAUER’S 


PARANOID PENGUIN 
Security Features in Red Hat Enterprise 4 


Firewall 
Configuration 


44 JON “MADDOG” HALL’S 
BEACHHEAD 
Shoring Up the Seawall 


46 DOC SEARLS’ 
LINUX FOR SUITS 
Use and Usefulness 


96 NICHOLAS PETRELEY’S 
ETC/RANT 
SUSE Rocks, Fedora Locks 


IN EVERY ISSUE 


10 LETTERS 

14 UPFRONT 

50 NEW PRODUCTS 
81 ADVERTISER INDEX 


4 | june 2006 www.linuxjournal.com 


INDEPTH 


68 AN INTRODUCTION TO GAMBAS 
Will VB refugees gamble on Gambas? 


Mark Alexander Bain 


version 1.0.9 


Welcome to Gambas ! This program is publist 


76 HOW TO SET UP 
AND USE TRIPWIRE 
Don't let intruders go unnoticed. 


Marco Fioretti 


80 THE WORLD IS 

A LIBFERRIS FILESYSTEM 
libferris can make your toaster look 
like a filesystem. 


Ben Martin 


86 PENDRIVES AND THE 
DISTRIBUTIONS FOR THEM 

A look at the distros you can use for 
booting Linux from a pendrive. 


Juan Marcelo Rodriguez 


89 THE ULTIMATE 
LINUX/WINDOWS SYSTEM 

Some of your Windows and Linux 
applications can share configuration data. 


Kevin Farnham 


93 CONVERTING VIDEO 
FORMATS WITH FFMPEG 
FFmpeg is a mini Swiss Army knife 
of format conversion tools. 
Suramya Tomar 


Fie EGR View Favortes Toor Help 


(Qe = | Lose i> sae od 


E \uver\kewr\ Thurderbad 


#) © DigtaPichses 
® © farham 
= © keopy 
© Huu: 
© > bes 
= © Mah 
® & Nuwe 
@ Recycled 
© evglen 


5 > System Volume Infomation 


| 89 THE ULTIMATE LINUX/WINDOWS SYSTEM 


Next Month 


RUBY 


Next month we get you started pro- 
gramming in a finely cut and polished 
language called Ruby. We also have 
some valuable content for those who 
are already Ruby programmers, like how 
to manage your Ruby libraries. And, did 
you know that you can use Ruby to glue 
together a vast variety of resources in 
your enterprise? We also explore Ruby 
on Rails and the changes in version 1.1. 
Marcel takes a whole ‘nother slant on 
Ruby and introduces you to a variety of 
games with rubies in them. 


There's more. Jon “maddog” Hall 
charts the depths of the sea, littered 
with the abandoned sunken hulls of 
proprietary design. Doc Searls addresses 
a related issue, runaway patents and 
absurd copyrights. All in the next issue 
of Linux Journal. 
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Transport VX50 B4881 
8-Processor AMD Opteron™ 5U Server 


- 4/8 Processor HPC Computing Platform 
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user parameters 
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modification of parameters, 
while users are online 
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Worth the Wait 

Starting with your first /etc/rant column, | have loved 
hem. You are saying aloud what many in the com- 
munity think, with a very loud voice. | wanted to ask 
you, why is this available only to subscribers? I'd love 
oO make some comments on my blog and then link 
o your columns, or translate them to Spanish and 
let my friends read them in my blog. Tell me if this is 
easible, please. | already commented on the 
/etc/rant of February 2006 issue and plan to do it on 
he April one I've just received, because | have lots of 
riends using GNOME just because they think it 
embodies the spirit of Free Software. Keep up the 
rant...er, the work. 


Enrique Verdes 


We do not publish in print and on the Web simultane- 
ously, but we do publish our print content on the Web 
after a period of time expires. You can find archives of 
the magazine at the URL www.linuxjournal.com/ 

xstatic/magazine/archives.—Fd. 


Rant about Rant 

Teams work very hard to release and offer their pro- 
gramming works of art. | doubt any of them wishes 
to bash each other's software. How about some con- 
structive rants? The developers just might be inclined 
to offer a feature/fix that your “opinion” had a prob- 
lem with. Or, heck, maybe you might even spawn a 
reader to contribute constructively instead of com- 
plain. Thanks for listening to my rant. 


Ryan Ferguson 


Content Must Be Free 

of Unwanted Influence 

The position of editor in chief traditionally allows 
ultimate control of all aspects of a publication—from 
which letters will be included, to whether GNOME or 
KDE screenshots are used, to what articles are pub- 
lished and who is allowed to contribute. Perhaps L/ 
has a system of checks and balances in place that 
the casual reader doesn't know about, but from the 
cheap seats, I’m concerned. Not to sound alarmist, 
but a strong bias from the editor in chief is a con- 
tamination that can't possibly be quarantined only to 
the last page of a publication! 


Matt McElheny 


It is the job of an editor in chief to serve the maga- 
zine’s readers, period. That means keeping the con- 
tent separate from the influence of advertising and 
unaffected by the editor's own personal opinions. If 
at any point you believe the content reflects other- 
wise, | will take your complaints very seriously.—Ed. 


On the Spirit of Open Source 

Great rant [April 2006]. But, as | see it, the real problem 
is not about advocacy, it's about (never-ending) fragmen- 
tation. Big players (such as Oracle and Dell) are com- 
plaining about it, and no one seems to listen. The real 
problem is that a genius like Miguel is wasting his time 
with GTK or Mono (the C# equivalent of the GNU Java 
compiler), when he could do really useful stuff. It’s a pity. 


Dani 


GCJ Deserves an Apology 

| just got the latest LJ in the mail today. | wonder 
about the genesis of the “practically useless GCJ” 
remark in the etc/rant column [April 2006]. 


The version of Eclipse on my Debian Sid installation was 
built with GCJ, and it seems to run fine with no Sun JRE 
in sight. | thought Eclipse was a fairly large and complex 
project (although | have never tried to build it from 
scratch myself), so what does GCJ need to be able to 
do to get out of the “practically useless” category? 


| also thought the limits of GCJ were due to limits of 
the GNU classpath, and that work on that was pro- 
gressing nicely. Maybe |’m not following develop- 
ments closely enough, though. 


Jon 


I'm the one not following the developments closely 
enough. Granted, it’s not supported for Swing, but 
if you can compile the SWT-based Eclipse with GCJ, 
| owe it an apology.—Ed. 


Even Einstein Agrees 

So far, | just want to say that | like the rants closing 
the new Linux Journal issues, although a blog of 
some kind might be a more appropriate place. 


Still, you are echoing sentiments that | have 
expressed many times in the past. From the moment 
Miguel said, “UNIX sucks”, and started making Linux 
look like Windows, I've felt like I’ve been lost in 
some kind of terrible nightmare, unable to awaken. | 
love UNIX, and although it certainly needs help on 
the desktop from a development API standpoint, |’m 
not about to throw away everything about UNIX that 
makes it great. Please reference the late Mr Einstein's 
genius (| use the following quotation in my e-mail 
signature) for why UNIX is great, IMHO: 


“Any intelligent fool can make things bigger 
and more complex....lt takes a touch of genius— 
and a lot of courage—to move in the opposite 
direction.”—Albert Einstein 


Michael P. Soulier 
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Swinburne University’s Center for Astrophysics and Supercomputing in Melbourne, Australia, 
is helping develop the next generation radio telescope in order to collect enough data to 
perform modeling and simulations of our entire galaxy. Their goal is to make realistic, 3D, 
virtual-reality animations available to the general public, particularly school children. To do 
this, they used the Intel® compilers to deliver application performance improvements — saving them valuable 
development time and money!. Whether you build applications for physics or financial analysis, Intel® Software 
Development Products help your Linux* applications reach for the stars. 
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LETTERS 


Please cancel my subscription, because the Linux 
Journal disappoints me thoroughly. It’s too practical for 
this budding theoretical computer scientist. 


You now have a very inconvenient size and it ruins the 
display | have of Linux Journal. It doesn’t fit on my lap 
in the men’s reading room; it doesn’t fit in most places 
while reading, except in your hands, and it is awkward 
there as well. | love Linux Journal: | hate the new size 
of the pages. 


In “Demons Seeking Daemons—A Practical Approach 
to Hardening Your OpenSSH Configuration” [March 
2006], Phil Moses mentions the UsersAllow directive, 
but it is really the AllowUsers directive (as Listing 2 
shows). And UsersDeny is really DenyUsers. 


The meaning of an entry such as user@hostname.domain 
is misleading. He seems to indicate that it allows access 
to user from hostname.domain, but it really means that 
people from hostname.domain can access user's account 
(according to O'Reilly's SSH book). 


In your recent article on temperature monitoring [see 
“Remote Temperature Monitoring with Linux” by 
Steven M. Lapinskas, LU, April 2006], you didn’t mention 
Paul Alfille’s OWFS Project (owfs.sourceforge.net). 


OWFS already has been ported to the Linksys WRT54G 
wireless router, providing a cheap and readily available 
hardware platform for monitoring projects like the 
one described in the article (owfs.sourceforge.net/ 
WRT54G.htnl). 


Juan Marcelo Rodriguez's XOOPS article [April 
2006] tells us to set three directories so that any 
local user, including the Web server, can create 
and execute programs in them: 


chmod 777 uploads cache templates_c 


That's poor security practice. If XOOPS needs it, 
XOOPS needs a redesign. These wide open directories 
are just the place to install a ‘bot for spamming or 
DoS attacks. It’s begging for an Internet worm, if one 
doesn’t exist already. 


Mambo has similar issues. It seems the easier they 
make these complex Web apps to install, the less care 
they pay to securing those installations. 
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OSS-1000 1U OPEN Series 
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« Tool-less 1U case design with rail kits 
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» 3 year next day warranty within the USA 
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» Available with 1, 2, 4, or 8 CPU’s per system 
« Upto 8 terabytes storage and 64GB of RAM 
« Tool-less 3U case design with rail kits 

= 16 Hot-swap drive bays, SCSI/SATA-2 

« Supports RAID levels 0, 1, 5, 6, and 10 
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» 3-year next day warranty within the USA 
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866-664-STOR 
Sales@OSShpc.com 
OpenSourceStorage.com 
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Shop Online for OSS on whaBAM.com 


1195 Borregas Avenue,Sunnyvale, CA 94089 
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UP 


e With the imminent advent of 
1 - U version 3 of the GNU General 


Public License, the question 
WHAT’S NEW naturally comes up whether 
IN KERNEL 


Linux will continue to be 
licensed under version 2, or 
DEVELOPMENT migrate to version 3. The 

answer seems to be that no 
migration will occur. Even if Linus Torvalds 
wanted to, he does not control the copy- 
right of all the thousands upon thousands 
of code contributions that have gone into 
the kernel over the years, and only those 
copyright holders could authorize a license 
change for their own contributions. 
Although attempts to track down all the 
contributors and obtain permission have 
been made by optimistic souls, it is virtually 
impossible to do this. The GPL version 2 
will be the Linux kernel license for the 
foreseeable future. 

Meanwhile, more and more kernel vari- 
ables and functions are being set to operate 
only with GPLed third-party drivers. The ker- 
nel can do this by testing any driver to see if 
it sets a variable indicating the license under 
which its code is released. If the license is 
the GPL, the kernel allows access to those 
restricted symbols. Otherwise, it's denied. 
This recently bit AVM, when Greg Kroah- 
Hartman restricted the USB subsystem 
to operate only with GPLed drivers. AVM 
always had released its own binary-only driver 
for its hardware, but this new change 
stopped it in its tracks. The change itself 
was reverted out of the kernel, although 
it did turn out that one reason Greg had 
implemented that change was because it has 
been possible for some time now to write USB 
drivers in user space with no loss of speed. 
Regardless, one result of this particular con- 
frontation was for Greg to implement some 
logging infrastructure, so that symbols soon to 
be GPL-restricted would be clearly identified in 
the logs at runtime, and sysadmins on those 
systems could begin to make reasonable 
preparations for that change. 

Willy Tarreau has begun gathering 
together useful 2.4 patches and making 
them available at a central location. In gen- 
eral, there has been an outcry among some 
users that without the even/odd develop- 
ment dichotomy, and with 2.4 virtually sta- 
tionary, there is now no stable series that is 
still reasonably up to date with current fea- 
tures. Arguments by the kernel developers 
that distributions take care of kernel stabili- 
ty, and that the w.x.y.z tree was created 
specifically to address the issue of stability, 
are unconvincing for one key reason. 
Although it’s true that those kernels may get 
good uptime, their behaviors are still poten- 


14 | june 2006 www.linuxjournal.com 


tially inconsistent from version to version— 
that is, the code base itself is unstable, 
making it difficult for user-space developers 
to create systems that behave reliably for 
the services they require. Although it 
seems clear to me that eventually kernel 
development will have to give stability first- 
class consideration, so far there is no real 
movement in that direction among the top 
developers. This may be one reason why 
Willy's foray back toward 2.4 maintenance 
has come about. 

The IDE driver may be going away at 
some point in the medium future, as libata 
becomes more and more robust, and a 
more viable replacement for it. Alan Cox i 
confident that, although now is still not th 
time for a straightforward replacement, it i 
still the goal and the intention of ongoing 
libata development. It’s important to bear i 
mind, when considering this, that the IDE 
nightmare cannot be ended simply by 
replacing one set of code with another. The 
IDE standards are still (and will continue to 
be) a horrible mess, and vendor interpreta- 
tion and compliance with those standards is 
still (and will continue to be) extremely 
nuanced and difficult to support. So what- 
ever the future of IDE may be, it will have to 
accommodate all the twists, turns, bumps 
and punctures endured in the past. Even if 
all future IDE hardware magically conformed 
to a single sane standard, it would be quite 
some time before we could abandon sup- 
port for all the older hardware. 

The Reiser 4 filesystem has not unex- 
pectedly run into problems being accepted 
into the Linux kernel. After the most recent 
lame war, which had some developers 
hrowing up their hands and saying they 
refused to give feedback on ReiserFS patches 
until Hans Reiser stopped attacking them, 
responses to ReiserFS posts on the mailing 
ist have thinned out. Without the support of 
he kernel developers, the possibility of 
Reiser 4 going into the kernel becomes more 
problematic. Only the kernel developers fully 
grasp the requirements that any given patch 
must meet in order to be accepted into the 
tree. Without their guidance, Reiser 4 may 
have a hard time moving in the right direc- 
tion. And as Reiser 4 development continues 
to diverge from the kernel proper, the patch 
that must ultimately be accepted into the 
kernel grows as well, adding much to the 
work required for final integration. Almost 
certainly Reiser 4 will make it into the 
kernel eventually, but probably not before 
its developers solve the technical and social 
issues that confront them. 


non 


=) 


—Zack Brown 


DEBUT OF NEW 

RUBY COLUMN 

Given Ruby’s recent surge in popu- 
larity, linuxjournal.com is excited to 
bring readers The Gemcutters Shop 
(TGS), a new column that will focus 
on the Ruby community and a vari- 
ety of Ruby programming topics. 
Regular linuxjournal.com author 
and active Ruby contributor Pat 
Eyler will show us how to develop 
skills related to Ruby programming, 
use libraries from Ruby’s standard 
library, work with additional 
libraries and use applications 
written in or for Ruby. 

Don’t miss Pat's kick-off column, 
“Welcome to the Gemcutters Shop”, 
available at www.linuxjournal.com/ 
article/8921. Upcoming columns 
will use code and case studies to 
demonstrate rcov, Rake, RubyGems, 
Mr. GUID and much more. 


2006 EVENT CALENDAR 
We're in the middle of tradeshow 
mania right now—pick a topic and a 
city, and we're pretty sure some sort 
of tech event is on its way. Use our 
Linux Industry Events calendar 
(www.linuxjournal.com/xstatic/ 
community/events) to stay on 
top of all this year’s tradeshows 
and conferences, from ISPCON 
Spring 2006 to the USENIX LISA 
Conference. 


BE A LINUXJOURNAL.COM 
CONTRIBUTOR 

Do you have a great tutorial or 
how-to article you want to share 
with an eager audience? Are you 
looking to unveil your coding mas- 
terpiece or helpful tricks? Did you 
test drive the latest version of a 
top-three distro and want to tell us 
what you really think? We're 
always looking for interesting and 
unique article proposals. Send your 
ideas to webeditor@ssc.com. 


Linux laptops. Supported. 


J ; orted: ) ( Supported: 1 
1. | X Windows at full 
LCD resolution, 


/\ NVidia and ATI 


Pre-configu ed Linux installatio 
You choose your laptop. 
You choose your distribution. | 


You cuslomize your configuration. Ne gif 3D acceleration, 
Let EmperorLinux do the rest.) 8 = \ OpenGL) 
j Supported: ) ro ——.. 
Technical support ae Supported: 
by phone and email, LK ~~ Power management: 


manufacturer's warranty, NV | suspend, hibernate, 
\ system-specific user's manual } ~_— \ processor control J 
“~ a 


Supported: ) 
One touch to control: 
_- suspend, hibemate, 
brightness, volume, 


external VGA, wireless ) 


SCiinnorted 
Supported: 


Connectivity: 
Internal gigabil elhernel, 
wireless a/b/g, 
EVDO mobile broadband ) 


fi S ippo ted: ) 
True multiprocessing | 
with Intel Core Duo CPU, | —~__ 


a up to 4 GB RAM ) 


Supported: 
ie Port connectivity: 
“—~ USB, PCMCIA, VGA, 
Express Card, SVideo, 
(parallel, serial, FireWire } 


al 4 
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Media cards: |~ Supported 
Compact Flash, ee from top tier 
\ Secure Digital ( “| manufacturers you 
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Sunpnorte 


ur ted: 
JUPP . 


Internal optical drive: (Supported: know and trust: 
\ CDRW,DVD+RW Biometric fingerprint Dell, Lenovo, Sharp, 
~ a Panasonic, Sony 


\(GDM login with PAM) 


(Since 1999, EmperorLinux has provided pre-installed Linux laptop solutions to universities, corporations, and ) 
individual Linux enthusiasts. We specialize in the installation of the Linux operating system on a wide range of the 
finest laptops and notebooks made by IBM, Lenovo, Dell, Sharp, Sony, and Panasonic. We offer a range of the 
latest Linux distributions, as well as Windows dual boot options. We customize each Linux distribution to the 
particular machine it will run upon and provide support for: ethernet, wireless, EVDO mobile broadband, PCMCIA, 
USB, FireWire, X-server, CD/DVD/CDRW, sound, power management, and more. All our systems come with one year 
of Linux technical support by both phone and aaat and full manufacturers’ warranties apply. 

\ Visit www.EmperorLinux.com or call 1-888-651-6686 for details. 
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With the Dual-Core Intel® Xeon® 
Processor in your ¥XRAGK™) your 
servers have advanced reliability 

features built in. 


3 Good Reasons to Buy a VXRACK™ Cluster Technology 


BuiliggoyOrder, 


Customizes Servers, Blade & Storage: 

Get the technology that’s right for your busi- 
ness and not right for your supplier, With a ca- 
pability to manufacture over 2500 systems a 
day, Ciara is suiled lo accomodale any cus- 


tomer requirement. Our record growth enabled 
us In February 2003 to inaugurate an all-new, 
ultra-modem manufacturing plant of 576.000 
saf. Our systems arc build under the ISO 
9001-2000 certification. 


Visit us 


“CIARA-TECH.COM 


SenvicewSenicesSenice 


Incorporated in 1984, Ciara Technology 

Is a world class provider of computer 
systems including desktop, laptop, 

servers, storage and supercomputer clusters 
as well as other software and integration ser- 
vices. All our systems are serviced by 
Ciara's highly trained and certified techni- 
cians and system engineers. We are an ac- 
countable supplier - One single point of con- 
tact for all your technology needs. 


For all your computer needs 


Ghannel PannemPremish 


Ciara has a strong working relationship with 
Intel, so we have access to Information and 
support that give us — and you — significant 
advantages in deploying and managing your 
systems and applications. The result is a 
more flexible solution that meets your cur- 
rent needs, while enabling easy expansion 
to accommodate emerging technologies 
and new business growth. 


Give us a Call 


1:866278927225 


VXBLADE-7520JR2 
A Standard in the Datacenter 


Powerful and Reliabic 
Mid to High End Server 


Dual Intel® Xeon® Processor 
(2.8GHz Dual Core Processor) 
800MHz Front Side Bus 

2x2MB L2 Cache 


92GB (2x1GB) FCC/Reg DDR? 533 
(Expandable to 12GB) 


One 80GB (7,200RPM) SATA150 HDD 


3 Years Warranly Return lo Ciara 


WU pgradeourSysten) 
Upgrade to 120CB (7,200RPM) GATA160 


Aduilicresl 2GB (2 x 1GB) ECC/Rug DDR2 400 Add $299 
Upgr. to 8GB (4 x 2GB) EOC/Reg DDR2 400 


Celeron inside, Centrino, Centrino Logo, Core Innicie, Intel, Intel Logo, Intel Core, Intel Ineicie, Intel ineicie Logo, intel GpeedDtep, Intel Virv, Itanium, leaniumn inescie, Pentium, 

registered trademarte of Inte! Corporation or its subsidiaries in the United States and other countries. (1) Important information. 
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in US dollar. Shipping and applicable taxoe aro not Included. (2) VXB 


DUAL CORE 


per server 


VXBLADE-7520BB22 
Low Voltage - Quad Cores 


Extremely Powerful 
Ultra Low Power Consumption 


Dual Intel® Xeon® LV Processor 
(2.0GHz Dual Core Processor) 
667MHz Front Side Bus 

2MB of Shared L2 Cache 


2GB (2x1GB) ECC/Reg DDR2 400 
(Expandable to 16GB) 


One 80GB (7,200RPM) SATA150 HDD 


3 Years Warranty Return to Ciara 


WU pgradewoursSystem: 


Upgrade to 120CB (7,200RPM) SATA150 
Ackiiliored 2GB (2 x 1GR) ECC/Rey DDR2 400 Add $299 
Upgr. to 8GB (4 x 2GB) EOC/Reg DDR2 400 
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VXR-72 or VXR-96 
Special Rack Enclosure 


VXR-96 accomodates the following: 
Up to 8 enclosure chassis 

Up lo 96 VXBLADE 

1.1TB of memory 

48 TB of local storage 


VXR-72 accomodates the following: 
Up to 6 enclosure chassis 

Up to 72 VXBI ADF 

0.81B of memory 

36 TB of local storage 


Optional Vertical Cable Management 
Optional Infiniband Cable Management 
Optional Color customization 
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LJ Index, June 2006 They Saicl It 


1. Number of minutes per day Britons spend watching TV: 148 Don't build your own kernel. It's a great 


way to waste a month of your time. 

The main reason for using BSD is that 
3. Millions of Weblogs as of March 9, 2006: 30.5 you work at Yahoo. Otherwise, use Linux. 
Premature optimization is the root 
4. Millions of RSS feeds, worldwide: 70 of all evil. 


—Cal Henderson, on building Flickr on Linux. 
5. Number of generations back that all humans have the same ancestors: 120 Flickr is now owned by Yahoo, most of which runs 


2. Number of minutes per day Britons spend using the Net: 164 


on Yahoo’s BSD (conferences. oreillynet.com/ 


6. Trillions of dollars in the latest US federal budget: 2.8 cs/et2006/view/e_sess/8068) 


7. US federal credit limit, in trillions of dollars: 9 REST is the Unix pipe of the net. 


8. Total billions of searches by Americans in January 2006: 5.48 —Kevin Marks, on IRC at a conference 


9. Millions of households promised fiber broadband by 2006: 86 Daddy, you have a picture of the Internet 
on your shirt. 
10. Promised symmetrical fiber performance in Mbps by 2006: 45 —Six-year-old daughter of Phil Windley, on his 


lap while he wore a Firefox shirt 
11. Average monthly dollar price promised for home fiber service by 2006: 50 


Open source development violates almost 
all known management theories. 
—Marletta Baba, Dean of the College of Social 
Sciences, Michigan State University (source: 


14. Worldwide position of US in broadband deployment in 2005: 16 Greg Kroah-Hartman in www.kroah.com/linux/ 
talks/oscon_2005_state_of_the_kernel) 


12. Dollar prices for 100Mbps service found in Japan and Korea today: 40 


13. Worldwide position of US in broadband deployment in 1996: 1 


15. Estimated billions of dollars lost to customers of failed US fiber 
deployments: 200 Keep Your Exits Open: How Startups & 

Their Investors Can Minimize the Risk of 

Using Open Source Code 

—Title of a Dow Jones Virtual Seminar on 

March 20, 2006 


16. Estimated trillions of dollars lost to the US economy by failed fiber 
deployments: 5 


17. Percentage of local authorities using Linux in the UK: 33 


Make Business Fast, Easy and Risk-Free: 
What Free and Open Source Software 
19. Percentage of local authorities using Linux in Holland: 55 Does to Liberate Free Markets 

—Title of a virtual seminar proposed by Doc 
20. Percentage of local authorities using Linux in Germany: 68 Searls to Dow Jones (Source: Andrew Leyden 


and Doc Searls) 


18. Percentage of local authorities using Linux in France: 71 


1, 2: Guardian Unlimited, from a Google survey | 3: Technorati | 
4: SocialText | 5: Slateand Nature | 6, 7: Washington Post | 8: Center for Media 
Research | 9-16: CAZITech, TeleTruth.org | 17-20: John Dwyer in Industry (UK) 


—Doc Searls 
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Thinkmate server and workstation 
products offer more configurations, 
and more customizable options Xeon’ 


than any other system builder. —— 


Thinkmate 10 Server, 2x Serial-ATA or SCSI drives with Intel® Xeon® Processors 


Dozens of customizable 
systems online, unlimited 
possibilities by phone. 


>» Rackmount Servers 

> High-Performance Servers 
> Storage Servers 

> Pedestal Servers 

> Silent Workstations 

> Blade Servers 

> Clustering 

> Notebooks 


Onerating System Ontions: 

Thinkmate systems are available with either No 
OS, or pre-loaded with Linux or Microsoft 
Windows operating systems. Thinkmate also 
offers dual-boot and virtualization options. 


100% True Hardware Customization: 
Thinkmate is an innovative provider of an exten- 
Sive variety of computer solutions. We completely 
customize all of our machines to match your indi- 
vidual needs. Our online quoting and ordering 
system has more customizable options than any 
other system builder on the web. If you can't find 
exactly what you need on our site, then give us a 
call and we would be more than happy to help you 
find it! 


service: 

Thinkmate takes customer service to a new level. 
All of our systems have a minimum of a 3-year 
advanced replacement warranty and offer up to a 
3-year next business day onsite warranty through 
IBM Global Services. We understand mission 
critical situations and provide superior services to 
keep all of our customers satisfied. 


GSA Scheduling: GsAle 

We offer rapid GSA scheduling ay Schedule 
for custom configurations. If you have a specific 
hardware requirement, we can have your configu- 
ration posted on the GSA schedule within 2-4 
weeks. 
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Saving 
Dollars 
with 
CentOS 


At the Austin BarCamp in March 2006, | found 
myself sitting next to a guy with a large new 
laptop that seemed to be running some kind of 
Linux. Turned out his name was Matt Lawrence, 
his laptop was a new Dell Inspiron 9300, his job 
was systems administration and his Linux of 
choice was CentOS. 

| asked him about it. Here are my notes, 
all quotes: 


CentOS's goal is to be as close to Red 
Hat as possible without violating trade- 
marks and copyrights. They lag behind 
Red Hat Enterprise 4 by two or three 
weeks. All the security and other 
updates are constantly coming out. 


If you want support from a person, buy 
Red Hat Enterprise Linux. If you want 
support from a community with the 
same code base, get CentOS. 


They fit nicely together. You can run Red 
Hat Enterprise for production and run 
CentOS for development and testing. 


It's my preferred desktop. And I'd say it's 
an excellent desktop system choice for 


Matt Lawrence with his 
Dell Running CentOS 


small companies. Getting it up and run- 
ning on this new Dell was easy. It came 
right up, ready to go. The only glitch 
was X. | had to edit the X config file for 
screen, which is 1920 x 1200. That's 16 
x 9 rather than 4 x 3. 


So | got the minimum up off one CD, 
then added the packages | wanted. It 
took about an hour to pull those down 
over DSL using yum. 


It's a good deal. | get paid for doing 
Red Hat. And | save my own money 


USER FRIENDLY by J.D. "Iiliad” Frazer 
TECH SUPPORT. GREG SPE- 


I HAVE SEVERAL 
PETABYTES 


COPYRIGHT 2006 J.D. “WEiad™ Frazer HTIP\//WAW.LUSERFREEMDLY.O8G/ 
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WHAT? HOW DO YOU FIGURE? 


LINUX JOURNAL EDITION 
WAIT A SECOND DID YOU 
SAY “PETABY TES’? ARE 


running CentOS. 


We'd appreciate hearing about your experi- 
ences with CentOS as well. 


—Doc Searls 


A New J 
for the 


LAMP Stack 


From Tom Limoncelli (an engineer with 
Google and co-author of Time Management 
for System Administrators) comes an enthu- 
siastic welcome for Jifty, a Web application 
development framework. Tom says Jifty is 
“like a Ruby on Rails for Perl”. It comes 
from from Jesse Vincent, David Glasser and 
Alex Vandiver. Jesse will be familiar to fans 
of Request Tracker—an open-source CRM. 
Find it at Jifty.org and CPAN.org. 


—Doc Searls 


iSCSI that makes your IP SAN 
a whole lot richer... 


SBE's feature-rich iSCSI software solutions deliver 
enterprise-level reliability at affordable price points... 
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Google Maps 


Google maps out excellent Web 
services for keen developers. 


During the past few months, we have looked at a number 
of Web services. Web services is a catch-all phrase for the ways 
in which Internet companies are making their data available to 
the general public, for use in people’s own applications. Thus, 
Amazon makes its product catalog available for us to create 
on-line stores and pricing programs, eBay allows us to search 
through (and bid on) products available for sale, and Google 
makes its search results available for viewing and manipulation. 
Each company restricts the ways in which we are allowed to 
use the provided data, but the trend appears to be toward 
additional openness and availability. 

Sometimes, that openness comes in a package that is 
slightly different from the standard form of Web services. 
That is, some companies make their data available using 
specialized libraries that call the services for you, hiding the 
specifics of the calls from your application. One of the 
most famous examples, and the one that we look at this 
month, is Google Maps. | have found Google Maps to be 
one of the most compelling and powerful Web applications 
out there. Not coincidentally, Google Maps was one of the 
first applications to make use of Ajax, a term that describes 
how we can use a combination of JavaScript and XML to 
grab data from remote servers and then use the results to 
update a Web page dynamically. 

This month, | explain how easy it is to create maps using 
the Google Maps API. We create some basic maps and even 
put up small markers indicating locations of interest to us. This 
will serve as a building block to creating our own mashups, the 
increasingly popular term for the use of Google Maps to dis- 
play information culled from a separate database. 


Basics 

Google Maps, like most Web applications, divides the work 
between the client (a Web browser) and a server. However, 
the traditional division of labor has been fairly unequal, 
putting almost all of the computational onus on the server, 
giving the browser responsibility for display alone. Ajax 
changes this, using one or more JavaScript libraries that 
know how to manipulate the data being displayed in new 
and interesting ways. 

Although Google may someday release an API that will 
allow us to create our own Ajax applications with its map 
information, the current release requires that we install and use 
everything in a single package. That is, Google provides a 
JavaScript library—or more precisely, a link to a JavaScript 
library located on Google's servers—that we incorporate into 
our pages and then use to create a map. 

In order to display maps, we need to use that JavaScript 
library. However, both to keep track of who is using the API and 
also to ensure that it is being used according to the rules, the 
library is available only to holders of a key. 

Now, we have seen this sort of restriction before, both in 
Amazon's Web services and also Google’s main Web services 
(that is, for search results). However, the key used in Google 
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Maps is somewhat different; it is keyed both to a particular 
person (with a Google account) and to a particular URL. This 
means a map key that works at http:/Avww.example.com will 
not also work at http:/Awww.example.net. 

The first step in using the Google Maps API is to decide 
under which URL you want to put the maps. | decided to create 
a new Apache virtual host on my system, which | named 
maps.lerner.co.il. | then registered with the Google Maps API page 
(www.google.com/apis/maps), indicating that my applications 
would be under the URL maps.lerner.co.il. Several seconds later, 
| was greeted with a page containing my API key, as well as a 
simple starter page that can display a map. The key is a very 
long string of ASCII characters, separated by spaces. 

Because we will base our applications on HTML, we should 
take a close look at it: 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
"http://www.w3.org/TR/xhtm11/DTD/xhtml1-strict.dtd"> 
<html xmins="http://www.w3.org/1999/xhtm1L"> 
<head> 
<script 
src="http://maps.google.com/maps?file=api&v=1&key= 
=> ABQTAAAAQQK9J hAXQ9eq-G55qgulExScF-BH9Y-SIKcAjU8YFS_ 
> uTREGFBSs2-11UWYOkXbUv6argoPyrx3YTg" 
type="text/javascript"></script> 
</head> 
<body> 
<div id="map" style="width: 500px; height: 400px"><;/div> 
<script type="text/javascript"> 


var map = new GMap(document.getElementById("map")) ; 
map.addControl(new GSmallMapControl()); 
map.centerAndZoom(new GPoint(-122.1419, 37.4419), 4); 


</script> 
</body> 
</html> 


The HTML document begins by declaring its DOCTYPE, 
which turns out to be strict XHTML. XHTML is a wonderful 
idea and ensures that HTML is structured according to all 
of the strict XML rules. That said, many HTML pages do not 
adhere to this standard and thus are considered either tran- 
sitional (meaning, XHTML with a liberal eye) or nothing at 
all. Because Google Maps tries to be compatible with as 
many browsers as possible, it benefits greatly from strict 
adherence to XHTML. 

In the <head> tag, we see that there is a <script> tag, 
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which loads JavaScript source from Google's servers at 
maps.google.com. This ensures that the latest version of 
the JavaScript library is always available to us and our users. 
Google promises that when it upgrades the map API, it will 
give a one-month grace period to allow developers to learn 
about incompatible changes they might have made. 

In the body of the HTML document, we then have a div 
tag, whose ID is map. This is the node that we will be passing 
to Google's JavaScript library. The style attribute passed to the 
div tag contains a width and a height; these determine the 
size of the map. Your site can display any combination of 
width and height for the map, allowing you to make adjust- 
ments for your particular site design. 

Inside of the div, we finally get to the heart of the matter, 
with three calls. 

First, we create an instance of a GMap object. As you 
might imagine, a GMap represents a particular map within 
the world of Google Maps. We attach the GMap object to 
the node with the ID of map. (If the element does not 
exist, the map will not appear on the screen.) This means, 
by the way, that you can have more than one map ona 
particular Web page—simply create multiple <div> tags, 
each with its own unique ID attribute, and attach different 
instances of GMap to each <div>. 

Once we have created an instance of GMap, we can send 


Because Google Maps tries to be compatible 
with as many browsers as possible, it benefits 
greatly from strict adherence to XHTML. 


it messages to control its behavior. For example, we can add a 
control to it, allowing us to zoom in and out. In this docu- 
ment, for example, we add a small map control by invoking 
the addControl() method, passing it a new instance of 
GSmallMapControl. The GSmallMapControl contains +/— 
buttons for zooming, as well as arrow buttons for moving 
the map without having to drag the mouse. 

Google provides two other control types as well, known as 
GSmallZoomControl (which has only the +/— zoom buttons) 
and GLargeMapControl (which includes everything that the 
GSmallMapControl does, plus buttons that allow you to jump 
to a particular zoom level). The controls always appear in the 
top-left corner of the map, and there is no way to stop you 
from instantiating more than one of these controls. This 
means if you aren't careful, you might create more than one 
control, leading to an ugly map and site. 

After creating our map and adding a control to it, we 
then instruct the map to show us a particular point. Points 
in a Google map are represented with the GPoint data 
structure, which represents a single point of longitude and 
latitude. Longitude and latitude can be represented with 
either degrees or floating-point numbers; for obvious rea- 
sons, GPoints are constructed using the latter. The example 
document has the following call: 


map.centerAndZoom(new GPoint(-122.1419, 37.4419), 4); 


The above line of JavaScript sends a centerAndZoom mes- 
sage to the map object. It instructs the map to center itself 
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around the point described by the GPoint and to display the 
map at level 4. The closest zoom level is 1, and the farthest 
away is 15, with levels 16-18 showing different types of wrap- 
ping. Level 4 allows you to see streets and is a good starting 
point for people using a map. 

It is important to realize that GPoint objects are created 
with longitude and latitude as their parameters, and not the 
reverse. This is probably because Google engineers thought in 
terms of x and y coordinates, which are more natural for math 
and science people. However, coordinates are often given in 
latitude, longitude pairs, as opposed to the reverse—so be 
careful before blindly entering coordinates into a program 
without checking their order and meaning. 

The GPoint created in this default document is in Palo 
Alto, California, presumably pointing to Google's offices. 
To look at another area on the map, simply substitute a 
different set of coordinates. For example, to look at Skokie, 
Illinois (where I’m currently living), | simply substitute a 
different set of coordinates: 


map.centerAndZoom(new GPoint(-87.740070, 42.037030), 4); 


Sure enough, when | reload my page, I’m now looking at a 
map of Skokie, rather than Palo Alto. 

Finally, Google provides us with the ability to switch 
between three different views, known as map, satellite and 
hybrid. By default, these controls are shown in the top-right 
corner and appear thanks to the line: 


map.addControl(new GMapTypeControl()); 


As you can probably guess, the above line sends an 
addControl message to our map object, handing it a new 
instance of GMapTypeControl. 


Markers 
Finally, let's look at how we can create a marker, as it is 
known, on our map. A marker lets us identify a particular 
point on a map, showing it with one of the Google Maps 
icons that users recognize. Moreover, although we see this 
functionality today, we easily can create JavaScript handlers for 
our markers—such that clicking on a marker causes a 
JavaScript function to be executed and presumably change the 
look of our map somehow. 

To create a marker, we create a new instance of GMarker, 
passing it a GPoint: 


var myMarker = new GMarker(new GPoint(-87.740000, 42.030000)); 


Now that we have created our marker, we can display it 
on the map: 


map.addOverlay(myMarker) ; 


If you add the above two lines within the <script> section 
of the HTML file, you immediately will see a red marker 
appear on the screen. 

Now, here’s where some real magic begins. Everything 
that we have done so far is done in JavaScript and HTML. 
Both of these are read and handled by the browser, but 
they are created by the server. This means that if we create 
our HTML file not as a static file, but rather dynamically 
(that is, from a server-side program), we can do all sorts of 


neat things with the JavaScript. 

For example, we can create multiple GMarkers, simply by 
assigning them to different variables and then attaching each 
of them to the map. If our Google Maps page is being run by 
PHP, we can write a short PHP program that inserts appropri- 
ate JavaScript code into the page. For example: 


<?php 
$a = array(-87.740070, -87.730000) ; 
$count = 0; 


foreach ($a as $v) { 

echo "var myMarker$count = new GMarker(new GPoint ($v, 
> 42.037030));\n"; 

echo "map.addOverlay(myMarker$count) ;\n"; 

$count++; 


If we put the above inside of the <script> section of our 
page, and if we then rename the page to index.php (instead 
of index.html), we quickly will see two markers on the page, 
with slightly different longitudes and the same latitude. 

Notice how the above code uses PHP's echo command 
to insert text into the HTML document when it executes. 
Also notice that we need to add semicolons—one to end 
the line of JavaScript (inside of the quotes) and one to end 


the line of PHP (outside of the quotes). These sorts of 
issues are always a headache when writing a program 
that writes another program. Finally, notice how we had 
to create arbitrary new variable names to avoid using the 
same variable over and over, and thus losing all but one 
of the markers. The simplest way to do this is with a 
$count variable, which then assures that you will have 

a unique variable name for each marker. 


Conclusion 

Google Maps is a wonderful Web application. But for 
developers, it’s also a platform on which we can create all 
sorts of new applications and services that depend on 
maps. In particular, by dynamically creating an HTML docu- 
ment from a programming language, we can insert data 
that JavaScript can then incorporate into a map. Next 
month, we will see how we can do this, creating our own 
mashup—grabbing information from one data source and 
then displaying it on a Google map.m™ 


Resources for this article: www.linuxjournal.com/article/ 
8393. 


Reuven M. Lerner, a longtime Web/database consultant, is currently a PhD student in 
Learning Sciences at Northwestern University in Evanston, Illinois. He and his wife recently 
celebrated the birth of their son Amotz David. 
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If Only You Could 


Restore Wine 


Back up a bit and see how you can keep your files safe. 


Francois! What is that truck doing at the back door to the 
restaurant, and why are they loading up the files from our office? 
I'm not angry, mon ami, and I've already asked them to put every- 
thing back. Surely there must be some simple explanation for this. 
Quoi? Ah, | see where the error occurred. Francois, when | asked 
you to arrange for an off-site backup of our files, | didn’t mean | 
wanted every piece of paper in the office moved to another loca- 
tion. | was talking about the files on our Linux systerms—data, 
mon ami. Yes, | agree, | should have made my request clearer. 

What | really wanted was for you to find a simple, easy-to-use 
backup program that would handle network backups, so that we 
could store the information from the Linux desktops in this 
restaurant to some of our off-site servers. Don't worry, Francois, 
I've got just the programs to make things very easy for you. In 
fact, | will be showing them to our guests as soon as they arrive. 

But they are already here! Quickly, Francois, to the wine 
cellar while | help our guests to their tables. Bring back the 
2000 Napa Valley Cabernet Sauvignon we were submitting to, 
ahem, quality control, earlier today. Vite! Please, mes amis, sit 
and make yourselves comfortable. 

Francois and | were discussing backups and backup software. 
Every Linux system comes with some basic, classic and powerful 
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Figure 1. Keep’s interface is compact and easy to use. 
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backup tools. These include the tar, cpio and rsync commands to 
name only a few. Many major distributions provide front ends to 
these commands via their own administrative interfaces. Today, | 
thought it might be interesting to visit some alternative backup 
software, all of which make backing up and restoring data easy. 

Ah, Francois, you have returned with the wine. Excellent. 
Please, pour for our guests. 

The first item on our menu is Jean-Remy Falleri’s Keep, a 
simple, easy-to-use backup utility for KDE. What makes it 
attractive for a desktop user is that Keep can sit quietly in the 
background and regularly back up your directories. It does this 
by using its own KDE service daemon. Backups also can be run 
at any time with the click of a button, and restores are a piece 
of cake. Because the package uses rdiff-backup to do its work, 
you need to install this as well. Source is available from the 
Keep Web site (see the on-line Resources), but | found binaries 
easy to get from various contrib sites as well. 

Once Keep and its rdiff-backup prerequisite are installed, 
start Keep by running the command, keep. A simple window 
with five icons appears (Figure 1). The top three options are 
the ones you will use most often: adding a directory to the 
backup list, restoring from a backup or running a backup right 
now. Existing backup lists can be edited, and Keep also pro- 
vides a simple backup log. 

When Keep runs for the first time, you'll see a message at 
the bottom of the main window indicating that the Keep 
daemon is not running. That's because the daemon starts when 
you start KDE. You can click the Load button to start it, but if 
you run into problems, have no fear. You also can fire up the 
dzemon via the the KDE Control Center (command name, 
kcontrol). Look under KDE Components, and start the 
daemon from the Services Manager. 

To create a backup, click the Add directory to backup button. 
This starts a wizard-like dialog that begins by asking you to 
select a directory for backup (for example, your home directory). 
Click Next, and a KDE file selector appears from which you can 
identify the location of your backups. Click Next again, and 
you are almost done. The final screen is where you select the 
backup interval (Figure 2). The default is to run automatically 
every three days and to delete archives after 60 days, but you 
can change this to whatever you like. Extra options let you 
select compression and whether or not so-called special files 
are excluded. There’s also a check box to fine-tune what exactly 
gets backed up using the Advanced Configuration dialog. 

Click Finish, and your backup definition is created and 
scheduled to run at a later time. When the Add a backup window 
closes, you'll be back at the main Keep window. Feel free to 
create more than one backup definition with different backup 
intervals. At the bottom of the main window is a View backup 
log button where you can check on the status of your current 
backup. If you don't want to wait for your scheduled backup 
to run, click the Backup now button. A small window appears 
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Figure 2. Keep runs automatically scheduled backups. 


with the various backup jobs you have defined. Click on the 
one you like, and then click OK to launch the backup. 

As the days go on, Keep starts to build a list of incremental 
backups based on the original full backup. Each of these snap- 
shots are dated in preparation for the inevitable. After all, the 
whole point of a backup is to prepare for the day when you need 
to restore something that has gone missing through some disaster, 
non? To restore a file or folder, click the Restore a backup button. 
Choose a backup directory from the list presented, click Next, and 
then choose where you want your directories restored—either in 
the original directory or in an alternate location of your choosing. 
If you want to restore an individual file, you'll want to restore to 
an alternate directory rather than overwriting your own. 

Click Next, and a list of dates appears. This is how you 
decide to which point in time you want to return. Click on a 
date, then click Finish, and the restore process begins. Keep is 
decidedly simple, but if your backup needs are equally simple, 
this is a program worth looking into. 

For the GNOME users out there, we have Aigars Mahinovs’ 
appropriately named Simple Backup. This program was created 
as part of Google's “Summer of Code” and was envisioned as 
an Ubuntu application. Unlike Keep, Simple Backup is a two- 
part application, with the backup configuration as one appli- 
cation and the restore as the other. Like Keep, Simple Backup 
runs predefined backups in the background according to 
whatever schedule you assign. In many ways, however, Simple 
Backup is much more flexible and powerful. You can get 
Simple Backup from SourceForge (see Resources). 

The first step in using Simple Backup is to start the configu- 
ration program. This is done by selecting Simple Backup Config 
from the GNOME System menu in the top panel. Because this 
qualifies as an administrative task, you'll need to enter the root 
password to proceed (or your password if you are running 
Ubuntu). This brings up the Backup Properties dialog (Figure 3). 

Three radio buttons allow you to select your backup settings. 
By default, Simple Backup does standard daily and incremental 
backups of user data to the /var/backup directory. Large data 
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a Backup Properties x 
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Figure 3. The first step in creating a Simple Backup is to define a 
backup configuration. 
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Figure 4. To restore from a Simple Backup, select the date of the backup 
you want and choose the directories you want restored. 


files, greater than 100MB, are excluded as are multimedia and 
temporary files. 

The Include and Exclude tabs allow you to specify which 
directories or files you want to have backed up. On desktop 
systems, | tend to back up my data, the system configuration 
files and nothing else. With servers, | back up everything. Your 
choice may likely be somewhere in between. The most interest- 
ing option here is the Destination tab, and the reason | suggested 
that you choose a custom backup configuration on the General 
tab. You still have the option of choosing the default backup 
directory of var/backup as well as an alternate directory. 

To recover a directory using Simple Backup, click System on 
the GNOME top panel, and select Simple Backup Restore from 
the Administration submenu. Once again, you'll be asked for a 
confirmation password, after which the Restore files/directories 
dialog appears (Figure 4). 

Your default backup location (or restore source) is indicated at 
the top of the window; however, if you have backups in a differ- 
ent location, click the Custom restore source check box, then enter 
the pathname in the location field and click Apply. A list of avail- 
able backups appears in the drop-down window below. Click on 
one, and the folders from which you can restore will show up in 
the main central area. Navigate to the folder you want (by clicking 
the arrows to expand subdirectories), and make your selection. 

You now have two choices. The first is to restore the folder 
as it was, in its original location. In some cases, the right 
choice will be Restore As, which lets you select an alternate 


location or name for the directory you are restoring. When you 
have made your choice, a confirmation box asks you whether 
you really, really want to restore the folder to the location 
specified. Assuming the answer is yes, click Yes. The whole 
process from backup to restore is very simple. If | could make 
one recommendation, however, it would be to provide a log 
progress window and an easily accessible log. Otherwise, 
Simple Backup is very much as the name would indicate. 

Finally, | would like to show you Johnathan K. Burchill’s 
KDar, or KDE Disk Archiver, a friendly, graphical interface to 
Denis Corbin’s powerful command-line dar utility. Of the pro- 
grams on today’s menu, this is by far the most flexible, for rea- 
sons I'll explain shortly. Where the other programs work at the 
directory level, KDar can restore individual files as well. It can 
do full and incremental backups, and it can break up the 
archives into slices to fit on the storage media with which you 
choose to work. This media can be a CD-ROM, DVD and so 
on. You can get KDar from SourceForge (see Resources) where 
source bundles are available. Should you prefer binary pack- 
ages, KDar is easily found on a number of contrib sites. 

Once the package is installed, fire up KDar by running the 
kdar command (use the Alt-F2 quick launch if you prefer). A 
splash screen flashes a moment before the actual interface 
starts (you can turn off the splash screen in the configuration 
dialog under Settings). When the program starts, the main win- 
dow looks fairly plain (Figure 5). Along the top is a pretty stan- 
dard menu bar with some quick access icons directly below. 
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Pause your mouse cursor over the icons, and tooltips identify 
them for you. Below that are two large, empty panes. The top 
pane lists archives and files, and the bottom is a log window. 
The easiest way to create a backup is to click on the Create 
icon or select Create from the Archive menu off the menu bar. 
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Figure 5. KDar’s 
Interface at Start Time 
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Figure 6. KDar’s backups provide a graphical progress report with 
estimated time to completion. 


You'll be asked for the top-level folder you want to back 
up, where you want the backup stored and so on. You'll 
also be asked to configure creation options, and these are 
substantial, so take some time to look them over. These 
options include compression, cryptography, files and fold- 
ers to include or exclude, and file types to exclude (such as 
MP3, AVI and so forth) and much more. Once you have 
finished with the creation of your backup, you can save 
the profile, export the dar command (more on this in a 
moment), do a dry run of the backup (without actually 
writing) or simply start the backup. A progress window lets 
you know how things are progressing (Figure 6). 

When it comes time to restoring a file or folder, your 
first step is to pull up an existing archive. Click File on the 
menu bar and select using the Open menu (or go for Open 
Recent). The top pane of the KDar main window displays 
the archive with a small arrow beside it. Click the arrow 
to expand the folder list, and each subdirectory also 
opens with an arrow beside it until you get to the file 
level (Figure 7). 

Select the file, directory or combination of both that you 
want restored, then right-click on your selection. This brings 
up a small menu from which you can choose to restore, do a 
diff comparison of your backup against the current files or do 
a test restore (Figure 8). All of these choices also are available 
by clicking Archive on the menu bar. 

KDar provides a log of the restore process, including the 
number of files restored, the time taken and any errors that 
were encountered. 

Whenever you run a backup or a restore using KDar, 
there is a button on the final screen that lets you export 
the equivalent dar command to a bash shell script. This is 
important, because it makes it easy to create cron jobs for 
your backups. Although KDar is much more flexible than 
any of the other candidates I’ve covered, it lacks a daemon 
that backs up in the background. Nevertheless, the shell 
scripts it generates makes KDar (and its dar counterpart) 
suited to more complex environments. 

Ah, mes amis, if only there was some way to restore 
the clock to an earlier time. It seems that this is still some- 
what beyond the talents of even the most skilled program- 
mer. Until such a time as this wondrous package becomes 
available, I’m sure that Francois will not mind if we keep 
the restaurant open just a little longer so he can refill your 
glasses once more before the final “Au revoir”. It's also too 
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Figure 7. KDar can restore individual files as well as directories. 
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Figure 8. The final step in a KDar restore allows you to store or load 
profiles. You also can export the commands to a shell script. 


bad that we can’t restore all this wine. Can you imagine 
it, mes amis? And endless wine cellar. That dream is 
very much alive. On that note, please raise your glasses, 
mes amis, and let us all drink to one another's health. 
A votre santé! Bon appétit!™ 


Resources for this article: www.linuxjournal.com/article/ 
8940. 
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DAVE TAYLOR 


A lot of 
programmers 
talk about 
highly 
efficient code 
as being 
“elegant”, 
but in my 
experience, 
most elegant 
code is also 
lazy code. 


Coping with Aces 


An Ace in the hole helps this longest Blackjack exercise ever. 


Somehow, writing this Blackjack game is starting to feel 
like the programmatic equivalent of that Three Stooges skit 
where “slowly he turned, step by step...”, but we're still going 
to have to work on the core logic of the game before we're 
ready to write the fun interface elements. 

This month, in fact, we might well find that we have to 
tear some of the earlier script apart and rebuild it to compen- 
sate for a troubling aspect of the game of Blackjack: an Ace 
can be either high or low, which is to say that it can be worth 
one or 11 points. Dealt two aces, you then have a number of 
different possible values, and that’s a problem. 


The First Ace Is Always Worth Eleven 
It turns out that there's a sneaky way you can solve this prob- 
lem simply by maximizing the value of the first Ace encoun- 
tered, as long as the overall value of the hand doesn't exceed 
our cap of 21 points. So, two Aces would be worth 11 + 1 
automatically (the first is maximized, but the second is not 
because it would push us over 21 points). 

The portion of the code that must be rewritten to compen- 
sate for this Ace valuation strategy is the handValue function: 


function handValue 
{ 
# feed this as many cards as are in the hand 
handvalue=0 # initialize 
for cardvalue 
do 
rankvalue=$(( $cardvalue % 13 )) 
case $rankvalue in 
0/11,12 ) rankvalue=10 
L ) rankvalue=11 
esac 
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handvalue=$(( $handvalue + $rankvalue )) 
done 


This is the “before” picture from last month. Notice that 
the second line in the case statement currently assigns a rank 
value of 11 to every Ace encountered. Clearly that’s a bug! 

To change it, however, | need to add a new variable that 
keeps track of whether I’ve already seen a previous Ace in the 
hand. | ingeniously call that seenAce: 


function handValue 
{ 
# feed this as many cards as are in the hand 
handvalue=0 # initialize 
seenAce=0 
for cardvalue 
do 
rankvalue=$(( $cardvalue % 13 )) 
case $rankvalue in 
0|11,12 ) rankvalue=10 
1 ) if [ $seenAce -eq 1 ] ; then 
rankvalue=1 
else 
rankvalue=11 ; 
Ta se 
esac 


seenAce=1 


handvalue=$(( $handvalue + $rankvalue )) 
done 


} 


Looks like it'll do the job—or will it? 

The problem here is best illustrated with a hand like 9 + 
10 + A. That's a valid Blackjack hand and should be worth 
20 points. But handValue will score it as 30 points, and the 
program will incorrectly classify that hand as a bust. 

Solving this isn’t too hard once the problem is recognized, 
but that’s the great challenge of writing any code, isn’t it? To 
anticipate and characterize bugs and glitches properly. The solu- 
tion is often quite simple, but knowing there's a bug in the first 
place, ah, that's where the great programmers find their calling! 

The solution in this situation is that we need to deduct ten 
points from the hand score if it’s more than 21 points and 
there’s an Ace—a condition that turns out to be added easily 
to the tail end of the function: 


handvalue=$(( $handvalue + $rankvalue )) 
done 


if [ $handvalue -gt 21 -a $seenAce -eq 1 ] ; then 
handvalue=$(( $handvalue - 10 )) 
| 
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This is the first time I’ve used a complex conditional statement in our 
script, but you’re already familiar with this type of multi-expression condi- 
tional. If we were using a C-like language, the conditional might look like: 


if ( ( handvalue > 21 ) && (seenAce == 1)) 


The snippet in the shell script shown above is the equivalent conditional, 
with the -a serving as the logical AND statement. It wouldn’t work in this 
context, but -o is the logical OR statement in a shell test conditional too, 
and if you need to, you can use parentheses for grouping. 

To test our new code, I'm going to replace the main body of the 
program temporarily with a few preloaded test hands and see what kind 
of hand values are returned: 


echo "Starting out with two aces..." 
handValue 1 14 
echo "handvalue = $handvalue" 


echo “now testing 9 + 10 + A" 
handValue 9 10 1 
echo "handvalue = $handvalue" 


echo "and, for good luck, testing K + A" 
handValue 12 1 


echo "handvalue = $handvalue" 


First, I'll run this with the original handValue function, anticipating mistakes: 
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Starting out with two aces... 
handvalue = 22 

now testing 9 + 10 +A 

handvalue = 30 

and, for good luck, testing K+ A 
handvalue = 21 


Yup. That's not good. We'd be quickly run out of Vegas for that 
sort of counting. 

Now, I'll slip in the new seenAce code segments explained earlier and 
try this same set of test hands: 


Starting out with two aces... 
handvalue = 12 

now testing 9 + 10 +A 

handvalue = 20 

and, for good luck, testing K+ A 
handvalue = 21 


What do you know, it looks like we've come up with a savvy way to allow 
the Ace to have two possible values without a major rewrite of the code. 


The Virtue of Lazy Coders 

Good. Indeed, it’s my belief that the best programmers are actually lazy and 
want to solve problems in the easiest and most efficient way possible. Laziness 
breeds ingenuity, remember, so although | could have rewritten the blackjack 
script to use an array of possible hand values to model the multivalue hand, 
why bother? The fact that a given hand has more than one value isn’t really 
important as long as we can compensate for that fact correctly in the code. 

A lot of programmers talk about highly efficient code as being “ele- 
gant”, but in my experience, most elegant code is also lazy code. | know 
that I’m constantly looking for those smart shortcuts, those insights that let 
me create something that might be less efficient in its performance, but far 
easier to code, far faster to debug and far speedier to deploy in the field. 

One great skill that programmers can nurture is being able to recog- 
nize quickly the good-enough solution too. Highly analytic by nature, 
we code geeks suffer from a little bit of perfectionism, and writing the 
perfect routine at the cost of additional days or weeks of development 
easily can end up being less utilitarian and less useful than having a pretty 
decent routine that does the job and can be improved later, in the next 
release, a maintenance patch or whatever. 

Is this laziness what causes us to have software with so darn many bugs 
though? | don’t think so. | think bugs in products are due to the ever- 
increasing level of complexity of software, be it an administrative tool for a 
Linux box, an Apache module or an Ajax-y Web-based utility. And software 
like an operating system or kernel? Of course it’s going to have bugs. It's far 
too complex ever to test for all possible conditions, cases and situations. In 
fact, seeking efficient solutions that can be pushed out into the field can 
help reduce bugs. It’s not testing software that finds the most egregious 
problems, but customers putting software through real-world tasks. 

I'm not advocating that we should ship sloppy code, however. Simply 
that in the classic model of alpha and beta releases, getting code into the 
field ultimately can produce far more robust applications than having it 
stay in development forever as more and more complex test cases and 
usage scenarios are pushed through simulators. 

But, ahem, | digress! 

For now, we've come up with a nice, simple solution to the dual-value prob- 
lem with Aces, and let's leave our script here for this month. Next month, we'll 
reintegrate the new code into the main game and add some additional code 
to detect when either the player or dealer has a blackjack (a two-card 21). 


Dave Taylor is a 26-year veteran of UNIX, creator of The Elm Mail System, and most recently author of both the 
best-selling Wicked Cool Shell Scripts and Teach Yourself Unix in 24 Hours, among his 16 technical books. His 
main Web site is at www.intuitive.com. 
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MICK BAUER 


Security Features in 
Red Hat Enterprise 4 


Red Hat Enterprise Server proves that less can be more, 
especially with the help of well-implemented SELinux. 


This month, | conclude a three-part series on distribution- 
specific security features. | began with SUSE Linux 10.0, 
continued on to Debian GNU/Linux 3.1 and this month | 
discuss Red Hat Enterprise Linux (RHEL) ES 4. 

Red Hat Enterprise Linux is a general-purpose Linux dis- 
tribution targeted to both desktop and server markets. As the 
name implies, RHEL is intended to be highly robust, stable and 
scalable; in other words, suitable for production use across 
large enterprises. And, sure enough, RHEL enjoys the reputation 
of delivering on all counts. Like SUSE, RHEL even runs on IBM 
eServer z-Series mainframes. 

To a much greater degree than Debian, however, and to a 
significantly greater degree than SUSE, Red Hat adheres to a 
strict philosophy of less is more where bundled software pack- 
ages are concerned. Whereas Debian is composed of more 
than 15,000 packages and SUSE of more than 4,000, RHEL ES 
4 weighs in at a mere 1,730 (if you include RHES Application 
Server and Extras packages, which aren't part of the base OS, 
strictly speaking). 

| don’t think it’s at all euphemistic to say that this is an easily 
defended design choice. By limiting the number of packages it 
officially supports, Red Hat has a much smaller attack surface 
(not to mention help-desk surface). Fewer packages mean less 
complexity; less complexity means better stability and security 
(at least in theory). 

The downside of this design philosophy is obvious. It means 
fewer choices in any given tool space (network servers/daemons, 
encryption tools and so on), less flexibility and greater likeli- 
hood that you'll end up installing third-party packages or even 
compiling them yourself from source. 

As l've said many times in this column, there’s no harm in 
rolling your own, especially when that means you’re compiling 
out (excluding) unnecessary or potentially insecure features. 
But, nothing beats distribution-supported binary packages 
when it comes to automated security updates. And, none of 
the major Linux distributions besides Gentoo has any automat- 
ed means of applying security patches directly from source 
code to locally compiled software. 

Furthermore, as I’m about to show, RHEL ES 4 is particularly 
thin in the specific realms of security-enhancing software 
(with the sole exception of SELinux) and security-scanning 
software. This doesn’t mean that | think RHEL is insecure; 
its smaller attack surface and its excellent SELinux support 
are both highly significant. It does mean, however, that you’ve 
got fewer choices in how you secure your RHEL-based server 
or desktop system, and even fewer choices in how you 
use it in security applications, than is the case with other 
major distributions. 


Installing RHEL ES 4 
Red Hat Enterprise Linux ES 4 has a very easy-to-use installation 


38 | june 2006 www.linuxjournal.com 


GUI that, besides installing the base operating system, allows 
you to select additional software packages, set the root pass- 
word, set up networking, enable a simple local firewall policy 
and enable SELinux. After the first reboot, this installer runs 
additional modules for setting up a Red Hat Network subscription, 
creating the first nonroot user account and configuring the X 
Window System. 

Personally, | don’t care for the Red Hat installer’s software 
package selection module at all. First, it allows you to select 
only from a subset of the packages available on the installation 
medium. (That is, as far as | could tell—it could simply be that 
a few packages | knew were available but couldn't find, such 
as gnupg, were simply buried within categories in which | didn’t 
think to look.) For the packages it does display, the installer 
shows neither detailed descriptions nor even approximate disk 
space required. 

In addition, its dependency-checking functionality is decid- 
edly primitive. If the software installer can’t find something it 
needs, it returns an error but doesn’t give you any means of 
solving the problem (locating the missing package, deselecting 
or uninstalling the package with the unmet dependency and so 
on). Although simplicity may be a virtue, this limited function- 
ality doesn’t compare very favorably at all with Debian’s apti- 
tude package management tool or SUSE’s YaST. If you want to 
run this installer module again after installation is complete, it’s 
located in GNOME's Application menu under System Settings 
under Add/Remove Applications, though | think you might be 
much happier performing additional software installations 
using up2date or even good old RPM. 

So, what security-related packages are available in RHEL ES 4? 
Table 1 lists most of them. In a nutshell, if you want to secure 
the local system, SELinux and your local firewall policy are very 
nearly the only tools available to you. If you want to audit and 
analyze the security of other systems, RHEL ES 4 has very little 
to offer besides Nmap. 

On the face of it, this is a decent list of applications; these 
are all important security-enhancing tools. Notably absent, 
however, are: 


@ Any sort of file-integrity checker, such as Tripwire or AIDE. 


 Syslog-NG, a much more powerful system logger than the 
archaic syslogd on which RHEL still relies. 


B® Any sort of virtualization environment (user-mode Linux, 
Bochs, Xen and so on). 


® The ubiquitous intrusion detection system and packet- 
logger Snort. 


@ Web security tools such as squidguard, mod_security and so on. 
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Table 1. Some Security-Enhancing Packages in RHEL ES 4 


Package Name 


bind-chroot 
dovecot 
freeradius 
krb5-server 
splint 


vsftpd 


cryptsetup 
ethereal, tcpdump 
gnupg 
ipsec-tools 


nc 


nmap, nmap-front end. 


openldap-clients, 
openldap-servers 


openssh 
openssl 


policycoreutils, 
setools, setools-gui 


selinux-doc 


postfix-pflogsumm 
spamassassin 
stunnel 

sudo, usermode 
tcp_wrappers 


up2date, 
up2date-gnome 


Description 

Configures your BIND-based DNS server to run in a chroot jail. 
IMAP server (mail delivery agent) designed for security. 
RADIUS authentication service for network devices. 

Kerberos authentication/encryption server. 

Tool for auditing C code for bugs, including security vulnerabilities. 


Very Secure FTP Demon: RHEL's only FTP server, but an 
excellent choice. 


Tool for creating encrypted filesystems (as virtual block devices). 
Classic protocol analyzers (aka packet sniffers). 

GnuPG e-mail/general-purpose encryption tool. 

Utilities for building IPsec VPN tunnels. 

Netcat, a versatile IP packet redirector. 

The Nmap port scanner and its GUI front end. 


OpenLDAP directory and authentication system. 


The most popular free Secure Shell demon and client. 
General-purpose SSL/TLS cryptographic library and tools. 

Tools for configuring and managing SELinux policies. 

Not installed by default, but you'll want this collection of 
SELinux documents. 

Log summarizer for the Postfix mail transfer agent. 

Popular SPAM/UCE filter. 

General-purpose SSL/TLS wrapper for TCP applications. 

Tools for allowing nonprivileged users to run processes as root. 
Provides simple IP-based access controls to TCP applications. 


Red Hat’s automated network-based software update tool. 


You're perfectly free, of course, to download and compile 
the source code of any of these tools manually. But, you won't 
be able to leverage up2date's automatic update features on 
such packages. 

So, both in terms of available security packages and the 
software installer itself, RHEL is a bit underwhelming. On the 
plus side, | do like the Red Hat Enterprise Linux installer’s fire- 
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Figure 1. Firewall and SELinux Configuration in RHEL ES 4 


wall/SELinux module (Figure 1). Both the firewall and SELinux 
functionality are enabled by default, and the help window on 
the left-hand portion of the screen explains both settings in 
plain language. 

If you're completely new to SELinux, you can select a warn 
setting that causes the kernel to log events that violate the 
local SELinux policy without actually blocking those events. By 
default, however, SELinux is set to active, using a default policy 
that restricts the behavior of Apache (httpd), bind, NIS 
(ypbind), dhcpd, mysqld, ntpd, portmap, postgresql, snmpd, 
squid and syslogd. 

The last thing worth noting about the Red Hat Enterprise 
Linux ES 4 installer is that both during initial setup, when you 
enter the root password, and after the first reboot, when you 
create the first nonroot user account, the installer performs no 
password complexity checks of any kind (of the sort SUSE's 
installer performs). It doesn't even warn against choosing an 
overly simple password via a simple text box like Debian does. 

This is unfortunate. Password guessing and brute-force 
attacks are still very much with us. | was pleased to see, how- 
ever, that by default, the XScreenSaver utility is configured to 
lock X sessions by password automatically any time the 
screensaver kicks in. (If only those passwords that protect 
XScreenSaver were required to include some combination of 
mixed upper-/lowercase, punctuation and numerals, I'd be 
happier still!) 


Automated Updates with up2date 

Keeping your system up to date with the latest security patches 
is absolutely essential on any Linux system. Red Hat was a 
pioneer in offering automatic updates when it introduced the 
combination of the up2date utility and the Red Hat Network 
service offering several years ago, and this system is even more 
mature now. 

The way this works is that when you set up your Red Hat 
system (any current version), after the first reboot you're 
prompted to configure a Red Hat Network subscription. A 
subscription with an RHN Update entitlement is included with 
every Red Hat product. When prompted, you simply enter the 
user name and password you'd like to use (one account can 
be used to manage multiple systems under the same subscrip- 
tion), and then the subscription number printed on the 


Activate Your Subscription card that came with your Red Hat 
installation media. 

The net effect of all this (no pun intended) is that you now 
will have an active subscription to the Red Hat Network ser- 
vice, with a system profile corresponding to your new Red Hat 
system, which in turn is associated with an RHN Update enti- 
tlement that allows your system to check for and download 
the latest versions of all software packages that are part of the 
version of RHEL you purchased. 

The simplest way to check for and apply security updates 
is to right-click the icon for the Red Hat Network Alert 
Notification Tool on your GNOME desktop (it’s a glowing red 
exclamation point if your system isn’t up to date, or a blue 
check mark if it is), and select Check for updates, run up2date 
and so on, as needed. 

You can set up automatic updates by logging on to 
the Red Hat Network Web site (www.redhat.com/en_us/ 
USA/rhn for US users) with your RHN credentials, clicking on 
the Systems tab, clicking on your system's profile, clicking 
Properties and checking the box next to Automatic application 
of relevant errata (Figure 2). Obviously, you shouldn't enable 
this feature on high-availability or change-controlled systems, 
because software patches always have the potential to intro- 
duce other bugs or conflicts. 
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Figure 2. Configuring Auto-Updates Via the RHN Web Site 


SELinux on Red Hat Enterprise Linux 

As we've seen, RHEL seems to rely very heavily on SELinux for 
system security. This is hardly a sloppy or mentally lazy design 
choice; SELinux provides a comprehensive and granular array 
of mandatory access controls against system users, applica- 
tions, processes and files. As described in the previous section, 
the included targeted SELinux policy provides default controls 
on some of the most commonly used applications. 

This default policy's behavior can be tweaked easily 
using the Security Level applet accessible via GNOME's 
Application—System Settings menu (Figure 3). The same 
applet can be used to configure a simple local firewall policy. 

The implementation of SELinux in RHEL ES 4 is truly com- 
mendable for its simplicity, not to mention the very fact that 
it’s enabled by default. That's the good news; the less-good 
news is that to create a custom SELinux policy, that is, one 
that uses tighter or looser controls than the included policy 
or one that addresses other applications, you're going to 
have to do some reading. The best place to start is the 
Red Hat Enterprise Linux 4 Red Hat SELinux Guide, available at 
www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ 
selinux-guide. 

You'll also probably want to install some extra GUI tools 
for this purpose too, namely the setools and setools-gui pack- 
ages. These packages provide, among other things, sepcut, 
apol, seaudit and seuserx. For more information on what these 
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Although the up2date/RHN system is mature and feature- 
rich (especially for large organizations with the need and 
ability to pay for network management and provisioning 
entitlements), as a Linux desktop user, | find it more difficult to 
use than Debian’s apt system (which is more primitive in some 
ways, but easier to script) or SUSE’s YaST Online Update 
system (which is much easier to configure). 

Oddly, as with many other aspects of RHEL, up2date 
configuration options appear to be spread across multiple 
GUls, including the Red Hat Network Web site, unless of 
course you configure things from a shell (in which case 
everything you need is in /etc/sysconfig). If you administer 
Red Hat on servers (that may not even have the X Window 
System installed, which is always a good policy on hard- 
ened systems) or are otherwise command-line-centric, I’m 
sure up2date and other Red Hat functions are easy to 
learn. Ironically, | find many of RHEL’s GUls, which are, of 
course, supposed to simplify things, confusing. (But maybe 
it's just me!) 
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Configuration Applet 


tools do and how to use them, see the documents in 
/ust/share/doc/setools-1.5.1 (the directory name on your 
system may reflect a different version number). 


Firewall Functionality in RHEL 

I've already mentioned the Security Level applet in RHEL ES 4's 
GNOME desktop. Unlike with SELinux, this applet doesn’t give 
you much more in the way of configuration options for the 
local firewall policy than you get at installation time. This poli- 
cy allows all outbound network transactions (originating from 
the local system), and blocks all inbound network transactions 
(destined for the local system) except the services you select 
here. Those services are, as in the Red Hat installer, HTTP, FTP, 
Telnet, mail (SMTP) and SSH. 

In the Security Level applet, you also can specify a list of 
other ports in the form [port #]:[protocol], for example 
689:tcp, 53:udp, 53:tcp. If you need anything fancier 
than that, you have to write your own iptables statements 
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from scratch. Happily, you can do so simply by adding or edit- 
ing lines in the file /etc/sysconfig/iptables. See the iptables man 
page and the Red Hat Enterprise Linux 4 Security Guide for 
more information. 


Directory Services and PKI 

It's worth mentioning that Red Hat recently acquired Netscape 
Directory Server, and has updated it and rebranded it as Red 
Hat Directory Server. This is being positioned as a commercially 
supported alternative to OpenLDAP or Sun Java System 
Directory Server. Although not included with RHEL (it's an add- 
on product that costs extra), it’s worth mentioning as a key 
component of Red Hat's security vision. RHEL does include 
fully supported OpenLDAP packages, however. 

In the same vein, Red Hat Certificate System provides a 
commercially supported PKI solution. It too is an add-on prod- 
uct not included with RHEL. OpenSSL is included with RHEL, of 
course, but without any additional setup tools such as TinyCA. 


Conclusion 

| have mixed feelings about Red Hat Enterprise ES 4’s security 
features. On the one hand, RHEL doesn’t offer anywhere near 
as many different security-enhancing software tools as Debian 
GNU/Linux or SUSE Linux. Entire categories of security tools 
that are well represented in other major Linux distributions 
(integrity checkers, intrusion detection systems, virtualization 
environments and so on) are absent. 

On the other hand, Red Hat has clearly maintained an 
unparalleled level of control over the size and scope of its dis- 
tribution. It has made hard choices about what it will support 
and maintain, and what it will not, which surely reduces the 
attack surface of Red Hat systems. | have no doubt that Red 
Hat's security team has an easier time responding to vulnera- 
bilities in RHEL's 1,730 packages than the Debian security team 
does with that distribution’s 15,000-plus packages. 

Furthermore, by not only including SELinux in RHEL 4 but 
also enabling it by default, Red Hat has taken a very bold 
step. The kernel-level mandatory access controls provided 
by SELinux provide the potential to mitigate many of the 
risks one might otherwise use add-on utilities to address. 
Furthermore, because this sort of technology is proactive, 
designed to prevent bad behavior, it’s inherently stronger 
than intrusion detection, integrity checking and other reactive 
technologies (though it would be better if RHEL had both 
proactive and reactive measures—even with SELinux, bad 
things can happen). 

Whether you find RHEL to be lean and mean or limited 
and clunky will depend on your particular Linux needs. 1'll 
allow that some of the reasons I’m not as keen on RHEL as | 
am on Debian and SUSE are specific to my job as a security 
architect and consultant. | rely on a specialized set of tools, 
most of which RHEL has judged to be unnecessary for its tar- 
get market—presumably IT professionals in corporate settings. 
Still, it seers to me that if | needed to secure a corporate Web 
server running RHEL, with or without SELinux, I'd still want to 
install mod_security, Squidguard, Syslog-NG and other tools 
manually that RHEL presently lacks. 


Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the 
US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition 
(formerly called Building Secure Servers With Linux), an occasional presenter at informa- 
tion security conferences and composer of the “Network Engineering Polka”. 
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We understand 
that other 
trademarks of 
other free and 
open-source 
software 
projects have 
seen similar 
issues, and we 
share their pain. 


Shoring Up the Seawall 


Trademark protection is necessary, if only because 
people seek to exploit what is unprotected. 


Hurricanes often show the fragility of a beachhead town, partic- 
ularly one whose seawall is not strong or high enough. Sometimes 
sandbags can save the day—if the weakness of the wall is local, if 
the strength of the hurricane is not high enough and if you have 
enough time and help to put the sandbags in place. But nothing 
beats having a well-designed and implemented seawall long before 
the storm hits, and often it is best to overbuild, as those “once ina 
lifetime” storms seem to be happening more and more often. 

In 1994, a hurricane hit the Linux community. A man in 
Boston trademarked the term Linux and started to send out 
letters to Linux companies saying that he owned the term 
and would license it out to companies for only one-quarter 
of their revenue. The fledgling Linux community was 
shocked, and individual companies started to gather their 
sandbags (er, ah) lawyers to fight this attack. Linux 
International (LI) stepped in and acted as a channel for 
hiring the legal firm of Davis and Schroeder of Monterey, 
California (another beautiful coastal town). Through a long 
and arduous process costing tens of thousands of dollars 
and much pro bono (read that as gratis) legal service, LI 


eventually had the trademark transferred to Linus Torvalds, 
who has held it ever since. 

Linus wants everyone to use the name Linux for any legitimate 
purpose, and he really wanted it to go into the public domain. 
However, we found that there were people who wanted to use 
the name for a business that (although it was legal) was not what 
Linus wanted his name to be associated with—a porn site. 

Linux had come into its own. As long as the word Linux 
had no value, no one cared about it. But as soon as the word 
Linux was perceived to be of value, people stepped forward to 
make what money they could, in both legitimate ways and less 
legitimate ways. We understand that other trademarks of other 
free and open-source software projects have seen similar 
issues, and we share their pain. 

If the trademark had been in the public domain, there would 
have been nothing Linus could have done about the porn site, 
but because he was the registered owner of the mark, he could 
demand that the porn site stop using the mark, which they did 
after only a single, pointed letter from LI’s law firm. 

Eventually, the law firm convinced Linus that the trade- 
mark needed to be “protected” under the US trademark 
laws. This meant that if people just used the trademark any 
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way they wanted, eventually it would become public domain 
and all the pornography sites could be “Linuxporn”, and 
there was nothing he could do about it. Of course, there 
are other undesirable uses of the name, but this was one 
of the ones we encountered. 

Because Linus considers himself an engineer, and did not 
want to deal with the day-to-day business of protecting the 
Linux trademark, he empowered the law firm and an old friend 
to create a nonprofit entity called Linux Mark Institute (LMI) to 
do this protection. LMI then started to sublicense the name 
to various companies who were using Linux as a trademark. 

Although this column is too short to go into all the tech- 
nical detail of what it means to use Linux as a trademark, or 
part of a trademark, the term Linux can be used in a fashion 
of fair use, which requires no licensing, but still should prop- 
erly attribute the ownership of Linux to Linus Torvalds. | am 
sure the reader has seen the normal type of attribute at the 
bottom of some page (perhaps even in this magazine) that 
says, “The registered trademark Linux(R) is used pursuant to 
a license from Linus Torvalds, owner of the mark in the US 
and other countries.” 

This is normally used when you 
just say the word Linux in some 
type of printed or electronic docu- 
ment, such as the Linux Journal. 

But the incorporation of the 
name Linux into another name is 
what really needs to be licensed, 
and LMI’s job became to seek out 
and sublicense the Linux mark to 
people and companies wishing to 
use the name. 

LMI assembled an astute group of people to administer 
this trademark, people whose honesty and integrity were 
without question, and they started to formulate a sublicense 
that would: 


B® Protect the Linux mark. 


B® Allow businesses that were making money by using the 
name to help pay for the costs of administration. 


@ Allow LUGs, developers and low-revenue nonprofits to have 
a license at no charge. 


And to make sure that things were on the right path, Linus 
kept the right to terminate this mechanism if it was not found 
to be carrying out his wishes. 

There were some things that LMI absolutely needed to 
do to make sure it met the enforcement criteria. And, as 
often with free software things, the concept of licensing out 
the trademark for legitimate uses more or less did not mesh 
with the normal concept in trademark law of protecting the 
usage from other than the trademark holder “no matter 


what”. LMI still managed to get through the 
knot holes to create a proper sublicense. 

Just as everything started to move into place, 
an emergency happened in Australia that forced 
LMI to become active “before its time”, and the 
world started to realize that although Linux (the 
kernel code) was already freely licensed, trade- 
mark law required the name to be licensed sepa- 
rately if not used in a fair-use way. 

mmediately, there was wailing and gnashing 
of teeth from people who did not understand 
trademark law, did not make any use of the 
mark of Linux other than in fair use, and from 
people who never even heard of the word Linux 
before—in short, from everyone except those 
who were really affected. To be sure, some fine- 
tuning of the sublicense was needed, which was 
done, but not a single person who was really 
affected by the trademark sublicense objected 
to the premise, because as business people and 
trademark holders themselves, as members of 
the small commercial Linux community, they 
knew that the seawall needed rebuilding. 

Today, people who use the term Linux as a 
proper trademark for their product can get a 
sublicense at the Linux Mark Institute 
(www.linuxmark.org). People and groups that 
make less than $50,000 US per year in revenue 
pay nothing. Companies starting up that have 
not made any revenue to date using the Linux 
mark pay nothing. Only companies that have 
made more than $50,000 US per year in rev- 
enue on products using the Linux mark pay a 
small percentage of that money to LMI. And, for 
very large companies making very large 
amounts of money on the Linux product, there 
is a cap on how much they pay. 

Linux Mark Institute is a true nonprofit. 
None of the board of directors receives any 
salary. LMI employs only the bare minimum of 
staff. All money collected goes toward legal fees 
to protect the Linux name that otherwise would 
not be protected. Over time, if activity warrants 
it, we will reduce the license fees. But today, we 
feel the fees are fair, necessary and will not hurt 
anyone wishing to use the mark. 

For all of those people who use the name 
Linux proudly, we ask only that you attribute it 
correctly, and that if you have any questions 
about whether you need a license, read the 
information at the Linux Mark Institute site. 

Help us maintain a strong seawall.™ 


Jon “maddog” Hall is the Executive Director of Linux International 
(www.li.org), a nonprofit association of end users who wish to support 
and promote the Linux operating system. During his career in com- 
mercial computing, which started in 1969, Mr Hall has been a pro- 
grammer, systems designer, systems administrator, product manager, 
technical marketing manager and educator. He has worked for such 
companies as Western Electric Corporation, Aetna Life and Casualty, 
Bell Laboratories, Digital Equipment Corporation, VA Linux Systems and 
SGI. He is now an independent consultant in Free and Open Source 
Software (FOSS) Business and Technical issues. 
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Use and Usefulness 


Which comes first, the kernel chicken or the user-space egg? 


I've always been intrigued by the distinctions between kernel 
space and user space. At the technical level, the distinction is 
largely between memory spaces: one where the kernel executes 
and provides services, and one where user processes run. As a 
rule, it’s safer to run something in user space when it is possible, 
because user-space processes can’t mess with the critical parts of 
the operating system. At a conceptual level, however, there also 
seems to be a distinction between usefulness and use. 

| didn't start to see that distinction until | spent a week in 
October 2005 on a Linux Lunacy Geek Cruise with Andrew 
Morton, Ted Ts‘o and a bunch of other kernel hackers. Andrew 
and Ted gave a number of talks, and | got a chance to spend 
additional time interviewing Andrew at length. As a result, | 
came to the conclusion that Linux is a species, and unpacked 
that metaphor in a Cruise Report on the Linux Journal Web site 
in November. Here’s the gist of it: 


Kernel development is not about Moore's Law. It’s about 
natural selection, which is reactive, not proactive. Every 
patch to the kernel is adaptive, responding to changes in 
the environment as well as to internal imperatives toward 
general improvements on what the species is and does. 


We might look at each patch, each new kernel version, 
even the smallest incremental ones, as a generation 
slightly better equipped for the world than its predeces- 
sors. Look at each patch submission—or each demand 
from a vendor that the kernel adapt to suit its needs in 
some way—as input from the environment to which the 
kernel might adapt. 


We might look at the growth of Linux as that of a suc- 
cessful species that does a good job of adapting, thanks 
to a reproductive cycle that shames fruit flies. Operating 
systems, like other digital life forms, reproduce exuber- 
antly. One cp command or Ctrl-D, and you've got a 
copy, ready to go—often into an environment where the 
species might be improved some more, patch by patch. 
As the population of the species grows and more patch- 
es come in, the kernel adapts and improves. 


These adaptations are reactive more often than proactive. 
This is even, or perhaps especially, true for changes that 
large companies want. Companies such as IBM and HP 
for example, might like to see proactive changes made to 
the kernel to better support their commercial applications. 


Several years ago, | had a conversation with a Microsoft 
executive who told me that Linux had become a project 
of large commercial vendors, because so many kernel 
maintainers and contributors were employed by those 
vendors. Yet Andrew went out of his way to make clear, 
without irony, that the symbiosis between large vendors 
and the Linux kernel puts no commercial pressure on the 
kernel whatsoever. Each symbiote has its own responsi- 
bilities. To illustrate, he gave the case of one large com- 
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pany application: “The [application] team doesn't want 
to implement [something] until it's available in the ker- 
nel. One of the reasons I'd be reluctant to implement it 
in the kernel is that they haven’t demonstrated that it’s a 
significant benefit to serious applications. They haven't 
done the work to demonstrate that it will benefit appli- 
cations. They'‘re saying, ‘We're not going to do the work 
if it's not in the kernel.’ And I'm saying, ‘I want to see 
that it will benefit the kernel if we put it in.’” 


He added, “On the kernel team, we are concerned 
about the long-term viability and integrity of the code 
base. We're reluctant to put stuff in for specific reasons 
where a commercial company might do that.” He says 
there is an “organic process” involved in vendor partici- 
pation in the kernel. 


It made my year when Greg Kroah-Hartman (a top-rank 
kernel maintainer) called this “one of the most insightful 
descriptions about what the Linux kernel really is, and how it is 
being changed over time”. 

A few weeks ago, | was talking with Don Marti about how 
all open-source projects seem to have the same kind of division 
between kernel space and user space—between code and 
dependencies on that code. It was in that conversation that | 
realized the main distinction was between usefulness and use. 
Roles as well as purposes were involved. Only developers con- 
tribute code. The influence of users, or even “usability 
experts”, is minimized by the meritocracy that comprises the 
development team. “Show me the code” is a powerful filter. 

Most imperatives of commercial development originate and 
live in user space. These include selling products, making profits 
and adding product features that drive future sales. None of these 
motivations are of much (if any) interest to kernel development. 
Again, kernel development is reactive, not proactive. For compa- 
nies building on Linux, the job is putting Linux to use, not telling it 
how to be useful. Unless, of course, you have useful code to con- 
tribute. (Greg Kroah-Hartman has put together an excellent set of 
recommendations. See the on-line Resources for links.) 

A few tradeshows ago, Dan Frye of IBM told me it took years 
for IBM to discover that the company needed to adapt to its ker- 
nel developers, rather than vice versa. | am sure other employers 
of kernel developers have been making the same adjustments. 
How long before the rest of the world follows? And what will the 
world learn from that adjustment that it doesn’t know now? 

| began to see an answer take shape at O'Reilly's Emerging 
Technology Conference in March 2006. | was sitting in the audi- 
ence, writing and rewriting this very essay, when George Dyson 
took the stage and blew my mind. George grew up in Princeton, 
hanging around the Institute for Advanced Study where his father, 
Freeman Dyson, worked with Godel, Einstein, Turing, von 
Neumann and other legends in mathematics, physics and comput- 
ing. Today, George is a historian studying the work of those same 
great minds, plus antecedents running back hundreds of years. 

George's lecture, titled “Turing’s Cathedral”, reviews the deep 
history of computing, its supportive mathematics and the staging 
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of a shift in computing from the mechanical to the biological— 
one that von Neumann had begun to expect when he died tragi- 
cally in 1957 at the age of 53. Here’s how George approaches 
questions similar to the one that had been on my mind: 


“The whole human memory can be, and probably in a 
short time will be, made accessible to every individual”, 
wrote H. G. Wells in his 1938 prophecy World Brain. “This 
new all-human cerebrum need not be concentrated in any 
one single place. It can be reproduced exactly and fully, in 
Peru, China, Iceland, Central Africa, or wherever else seems 
to afford an insurance against danger and interruption. It 
can have at once, the concentration of a craniate animal 
and the diffused vitality of an amoeba.” Wells foresaw not 
only the distributed intelligence of the World Wide Web, 
but the inevitability that this intelligence would coalesce, 
and that power, as well as knowledge, would fall under its 
domain. “In a universal organization and clarification of 
knowledge and ideas...in the evocation, that is, of what | 
have here called a World Brain...in that and in that alone, it 
is maintained, is there any clear hope of a really Competent 
Receiver for world affairs..../ve do not want dictators, we 
do not want oligarchic parties or class rule, we want a 
widespread world intelligence conscious of itself.” 


ing to construct such machines we should not be irrever- 
ently usurping His power of creating souls, any more than 
we are in the procreation of children”, Turing had advised. 
“Rather we are, in either case, instruments of His will pro- 
viding mansions for the souls that He creates.” 


Then he added, “Google is Turing’s cathedral, awaiting 
its soul.” 

| think, however, the cathedral is bigger than Google. In 
fact, | think it’s bigger than a cathedral. | think it's a new 
world, built on materials no less natural yet man-made than 
the rocks and wood shaped and assembled into nave and 
transept, buttress and spire. 

| reached that conclusion watching George flash quote 
after quote up on the screen in the front of the ballroom, 
each drawing another line in the shape we came to call com- 
puting. | photographed as many as | could, and transcribed a 
number of them. I’ve arranged them in chronological order, 
starting 450 years ago, with several more added in from my 
own quote collection. Follow the threads: 


m “Why may we not say that all Automata (Engines that 
move themselves by springs and wheeles as doth a watch) 
have artificiall life?“—Thomas Hobbes, 1651 


It made my year when Greg Kroah-Hartman (a top-rank kernel maintainer) called this “one of the most 
insightful descriptions about what the Linux kernel really is, and how it is being changed over time’. 


Then: 


In the early 1950s, when mean time between memory fail- 
ure was measured in minutes, no one imagined that a sys- 
tem depending on every bit being in exactly the right place 
at exactly the right time could be scaled up by a factor of 
10! in size, and down by a factor of 10° in time. Von 
Neumann, who died prematurely in 1957, became increas- 
ingly interested in understanding how biology has managed 
(and how technology might manage) to construct reliable 
organisms out of unreliable parts. He believed the von 
Neumann architecture would soon be replaced by some- 
thing else. Even if codes could be completely debugged, 
million-cell memories could never be counted upon, digital- 
ly, to behave consistently from one kilocycle to the next. 


Fifty years later, thanks to solid state micro-electronics, 
the von Neumann matrix is going strong. The problem 
has shifted from how to achieve reliable results using 
sloppy hardware, to how to achieve reliable results 
using sloppy code. The von Neumann architecture is 
here to stay. But new forms of architecture, built upon 
the underlying layers of Turing-von Neumann machines, 
are starting to grow. What's next? Where was von 
Neumann heading when his program came to a halt? 


This is all excerpted from an earlier lecture by George, by 
the same title as the one he was giving at eTech. In this earlier 
lecture, George was focused on Al: 


| found myself recollecting the words of Alan Turing, in his 
seminal paper “Computing Machinery and Intelligence”, a 
founding document in the quest for true Al. “In attempt- 
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@ “By Ratiocination, | mean computation. Now to compute, is 
either to collect the sum of many things that are added 
together, and to know what remains when one thing is 
taken out of another...and if any man adde Multiplication 
and Division, | will not be against it, seeing Multiplication is 
nothing but Addition of equals one to another, and Division 
is nothing but a Subtraction of equals one from another, as 
often as is possible. So that all Ratiocination is compre- 
hended in these two operations of the minde Addition and 
Subtraction.”—Thomas Hobbes, 1656 


@ “This [binary] calculus could be implemented by a machine 
(without wheels)...provided with holes in such a way that they 
can be opened and closed. They are to be open at those 
places that correspond to a 1 and remain closed at those that 
correspond to a 0. Through the opened gates small cubes or 
marbles are to fall into tracks, through the others nothing. It 
[the gate array] is to be shifted from column to column as 
required. "”—G.W. von Leibniz, March 16, 1679 


@ “Is it a fact—or have | dreamed it—that, by means of elec- 
tricity, the world of matter has become a great nerve, 
vibrating thousands of miles in a breathless point of time? 
Rather the round globe is a vast head, a brain, instinct with 
intelligence! Or shall | say, it is itself a thought, nothing but 
a thought, and no longer the substance which we deemed 
it?”—Nathaniel Hawthorne, 1851 


m “| see the Net as a world we might see as a bubble. A 
sphere. It’s growing larger and larger, and yet inside, every 
point in that sphere is visible to every other one. That's the 
architecture of a sphere. Nothing stands between any two 
points. That's its virtue: it's empty in the middle. The dis- 


tance between any two points is functionally zero, and not just because 
they can see each other, but because nothing interferes with operation 
between any two points. There's a word | like for what's going on here: 
terraform. It’s the verb for creating a world. That's what we're making 
here: a new world. Now the question is, what are we going to do to 
cause planetary existence? How can we terraform this new world in a 
way that works for the world and not just ourselves?” —Craig Burton, 
in Linux Journal, 1999 


@ “Here are three basic rules of behavior that are tied directly to the fac- 
tual nature of the Internet: 1) No one owns it. 2) Everyone can use it. 
3) Anyone can improve it."—”World of Ends”, by Doc Searls and David 
Weinberger, 2003 


@ “There are a couple of reasons why we have national parks and access to 
the seashore. Some things are so much the gifts of nature that they should 
be reserved for everyone. And some things (like the sea, and like the 
Internet) are so important to each of us that keeping them freely available 
makes us a group of citizens rather than slaves....Now—the Internet wasn't 
created by nature; it's an agreement between machines made possible by 
the designers of that agreement (or protocol). But it is a great gift, and it is 
very important to being a citizen, and for these reasons it is owned by all 
for common use. It's a commons, like the Boston Common. And no 
sovereign ever showed up to which the people who ‘own’ the Internet (that 
is, everyone) surrendered their ownership. ”—Susan Crawford, January 2003 


@ “We had this idea back in the 70s that one day we would make com- 
puters that would somehow be intelligent on their own. And it’s not 
quite working that way. What we're doing is making computers intelli- 
gent because we're part of them.”—Tim O'Reilly at eTech 2006 


As creatures, human beings are gifted with something perhaps even 
more significant than the powers of intelligence and speech. We also have 
the capacity to extend the boundaries of our bodies beyond our skin, hair 
and nails. Through a process of indwelling, we are enlarged and empowered 
by our clothes, tools and vehicles. When we grab a hammer and drive a nail, 
the hammer becomes an extension of our arm. Our senses extend through 
the wood of the handle and the metal of the head, as we pound a nail 
through a board. Oddly, the hammer does not make us superhuman, but 
more human. Because nothing could be more human than to use a tool. 

Likewise, when we drive a car, ride a bike or pilot a plane, our senses 
extend to mechanical perimeters. We don’t just think “my tires”, “my wings”, 
“my fender”, “my engine”. We know these things are ours. They are parts of 
our selves, enlarged by the merging of sense and skill and material. 

A robin is born knowing how to build a nest. A human is born know- 
ing how to do little beyond suckling. Yet because we are gifted with an 
endless capacity for learning, and for enlarging our selves, and for doing 
these things together in groups of all sizes, we have built something larger 
than ourselves called civilization. 

Open-source infrastructural building materials and methods have 
enabled us to build a new framework, a new environment, for civilization. 
Call it a giant brain, a World of Ends, or a network of networks. In every 
case, it is a product of the form of nature we call human. 

The purpose of this new world—this natural environment for business, 
study, games and countless other human activities—is to be useful. In the same 
way that our senses extend from our bodies to our tools and vehicles, the use- 
fulness of kernel-space code extends into the Net that’s built on that code. 

As a result, user space has become almost unimaginably large. And 
sure to become larger.m 


Resources for this article: www.linuxjournal.com/article/8942. 


Doc Searls is Senior Editor of Linux Journal. 
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Linux software RAID (Redundant Array of 

Inexpensive Disks) and LVM2 (Logical Volume Manager, version 2) offered 
in modern Linux operating systems offers both robustness and flexibility, 
but at the cost of complexity should you ever need to recover data from a 
drive formatted with software RAID and LVM2 partitions. | found this out 
the hard way when | recently tried to mount a system disk created with 
RAID and LVM2 on a different computer. The first attempts to read the 
filesystems on the disk failed in a frustrating manner. 

| had attempted to put two hard disks into a small-form-factor computer 
that was really designed to hold only one hard disk, running the disks as a 
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mirrored RAID 1 volume. (I refer to that system as raidbox for the remainder of 
this article.) This attempt did not work, alas. After running for a few hours, it 
would power-off with an automatic thermal shutdown failure. | already had 
taken the system apart and started re-installing with only one disk when | real- 
ized there were some files on the old RAID volume that | wanted to retrieve. 

Recovering the data would have been easy if the system did not use 
RAID or LVM2. The steps would have been to connect the old drive to 
another computer, mount the filesystem and copy the files from the 
failed volume. | first attempted to do so, using a computer | refer to as 
recoverybox, but this attempt met with frustration. 
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Why Was This So Hard? 

Getting to the data proved challenging, both because the 
data was on a logical volume hidden inside a RAID device, 
and because the volume group on the RAID device had the 
same name as the volume group on the recovery system. 

Some popular modern operating systems (for example, 
Red Hat Enterprise Linux 4, CentOS 4 and Fedora Core 4) can 
partition the disk automatically at install time, setting up the 
partitions using LVM for the root device. Generally, they set 
up a volume group called VolGroup00, with two logical vol- 
umes, LogVol00 and LogVol01, the first for the root directory 
and the second for swap, as shown in Listing 1. 

The original configuration for the software RAID device 
had three RAID 1 devices: mdO, md1 and md2, for /boot, 
swap and /, respectively. The LVM2 volume group was on the 
biggest RAID device, md2. The volume group was named 
VolGroup00. This seemed like a good idea at the time, 
because it meant that the partitioning configuration for this 
box looked similar to how the distribution does things by 
default. Listing 2 shows how the software RAID array looked 
while it was operational. 

If you ever name two volume groups the same thing, and 
something goes wrong, you may be faced with the same 
problem. Creating conflicting names is easy to do, unfortu- 
nately, as the operating system has a default primary volume 
group name of VolGroup00. 


Restoring Access to the RAID Array Members 
To recover, the first thing to do is to move the drive to anoth- 
er machine. You can do this pretty easily by putting the drive 
in a USB2 hard drive enclosure. It then will show up as a SCSI 
hard disk device, for example, /dev/sda, when you plug it in 
to your recovery computer. This reduces the risk of damaging 
the recovery machine while attempting to install the hard- 
ware from the original computer. 

The challenge then is to get the RAID setup recognized 
and to gain access to the logical volumes within. You can use 
sfdisk -1 /dev/sda to check that the partitions on the old 
drive are still there. 

To get the RAID setup recognized, use mdadm to scan the 
devices for their raid volume UUID signatures, as shown in 
Listing 3. 

This format is very close to the format of the 
/etc/mdadm.conf file that the mdadm tool uses. You need to 
redirect the output of mdadm to a file, join the device lines 
onto the ARRAY lines and put in a nonexistent second device 
to get a RAID1 configuration. Viewing the md array in 
degraded mode will allow data recovery: 


[root@recoverybox ~]# mdadm --examine --scan /dev/sdal 
»>/dev/sda2 /dev/sda3 >> /etc/mdadm.conf 
[root@recoverybox ~]# vi /etc/mdadm. conf 


Edit /etc/mdadm.conf so that the devices statements are 
on the same lines as the ARRAY statements, as they are in 
Listing 4. Add the “missing” device to the devices entry for 
each array member to fill out the raid1 complement of two 
devices per array. Don’t forget to renumber the md entries if 
the recovery computer already has md devices and ARRAY 
statements in /etc/mdadm.conf. 

Then, activate the new md devices with mdadm -A -s, 
and check /proc/mdstat to verify that the RAID array is active. 
Listing 5 shows how the RAID array should look. 

If md devices show up in /proc/mdstat, all is well, and you 
can move on to getting the LVM volumes mounted again. 
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Listing 1. 


TYPICAL LVM DISK CONFIGURATION 


[root@recoverybox ~]# /sbin/sfdisk -1 /dev/hda 


Disk /dev/hda: 39560 cylinders, 16 heads, 63 sectors/track 
Warning: The partition table looks like it was made 
for C/H/S=*/255/63 (instead of 39560/16/63). 
For this listing I'll assume that geometry. 
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 


Device Boot Start End #cyls #blocks Id System 
/dev/hdal - O+ 12 13- 104391 83 Linux 
/dev/hda2 13 2481 2469 19832242+ 8e Linux LVM 
/dev/hda3 0 : 0 0 0 Empty 
/dev/hda4 0 = 0 0 © Empty 


[root@recoverybox ~]# /sbin/pvscan 
PV /dev/hda2 VG VolGroup0d lvm2 [18.91 GB / 32.00 MB free] 
lotale Ts .oIsGBi ee sinuses els (lS, ST GBiiy lingnomVG aN [10 i] 
[root@recoverybox ~]# /usr/sbin/lvscan 


ACTIVE '/dev/VolGroup00/LogVol00' [18.38 GB] inherit 
ACTIVE '/dev/VolGroup00/LogVol01' [512.00 MB] inherit 
Listing 2. 


SOFTWARE RAID DISK CONFIGURATION 


[root@raidbox ~]# /sbin/sfdisk -1 /dev/hda 


Disk sdewfhda: 9729 cylinders, 255 heads, 63 sectors/track 
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 


Device Boot Start End #cyls #blocks Id System 
/dev/hdal O+ 12 13- 104391 fd Linux raid 
autodetect 
/dev/hda2 13 77 65 522112+ fd Linux raid 
autodetect 
/dev/hda3 78 9728 9651 S26 Sy Cee linUxXentea lic 
autodetect 
/dev/hda4 0 = 0 0 © Empty 


[root@raidbox ~]# cat /proc/mdstat 

Personalities : [raid1] 

md2 : active raidl hdc3[1] hda3[1 
77521536 blocks [2/2] [UU] 


md1l : active raid1l hdc2[1] hda2[1 
522048 blocks [2/2] [UU] 


mdQ : active raidl hdc1[1] hda1i[1 
104320 blocks [2/2] [UU] 


Listing 3. 


SCANNING A DISK FOR RAID ARRAY MEMBERS 


[root@recoverybox ~]# mdadm --examine --scan /dev/sdal /dev/sda2 /dev/sda3 
ARRAY /dev/md2 level=raid1 num-devices=2 
> UUID=532502de:90e44fbO: 242F485Ff: f02a2565 
devices=/dev/sda3 
ARRAY /dev/md1 level=raid1 num-devices=2 
> UUID=75fa22aa:9allbcad:b42ed14a: b5f8da3c 
devices=/dev/sda2 
ARRAY /dev/md® level=raid1 num-devices=2 
=> UUID=b3cd99e7 : d02be486: b0ea429a:el18ccf65 
devices=/dev/sdal 


Listing 4. 


/etc/mdadm.conf 


DEVICE partitions 

ARRAY /dev/md@ level=raid1 num-devices=2 
> UUID=b3cd99e7 : d@2be486: b0ea429a:e18ccf65 
™devices=/dev/sdal,missing 

ARRAY /dev/md1 level=raid1 num-devices=2 
> UUID=75fa22aa:9allbcad:b42ed14a: b5f8da3c 
w>devices=/dev/sda2,missing 

ARRAY /dev/md2 level=raid1 num-devices=2 
> UUID=532502de:90e44fbO: 242f485F: f02a2565 
™devices=/dev/sda3,missing 


Listing 5. 


Reactivating the RAID Array 


[root@recoverybox ~]# mdadm -A -s 
[root@recoverybox ~]# cat /proc/mdstat 
Personalities : [raid1] 
md2 : active raid1 sda3[1] 

77521536 blocks [2/1] [_V] 


md1l : active raid1 sda2[1] 
522048 blocks [2/1] [_U] 


md@ : active raid1 sdal[1] 
104320 blocks [2/1] [_U] 


unused devices: <none> 


Recovering and Renaming the LVM2 Volume 

The next hurdle is that the system now will have two sets of lvm2 disks 
with VolGroup00 in them. Typically, the vgchange -a -y command would 
allow LVM2 to recognize a new volume group. That won't work if devices 
containing identical volume group names are present, though. Issuing 
vgchange -a -y will report that VolGroup00 is inconsistent, and the 
VolGroup00 on the RAID device will be invisible. To fix this, you need to 
rename the volume group that you are about to mount on the system by 
hand-editing its lvm configuration file. 

If you made a backup of the files in /etc on raidbox, you can edit a 
copy of the file /etc/lvm/backup/VolGroup00, so that it reads VolGroup01 
or RestoreVG or whatever you want it to be named on the system you are 
going to restore under, making sure to edit the file itself to rename the 
volume group in the file. 

If you don’t have a backup, you can re-create the equivalent of 
an LVM2 backup file by examining the LVM2 header on the disk and 
editing out the binary stuff. LYM2 typically keeps copies of the meta- 
data configuration at the beginning of the disk, in the first 255 sectors 
following the partition table in sector 1 of the disk. See /etc/lvm/lvm.conf 
and man lvm.conf for more details. Because each disk sector is typically 
512 bytes, reading this area will yield a 128KB file. LVM2 may have 
stored several different text representations of the LVM2 configuration 
stored on the partition itself in the first 128KB. Extract these to an 
ordinary file as follows, then edit the file: 


dd if=/dev/md2 bs=512 count=255 skip=1 of=/tmp/md2-raw-start 
vi /tmp/md2-raw-start 


You will see some binary gibberish, but look for the bits of plain 
text. LVM treats this metadata area as a ring buffer, so there may be 
multiple configuration entries on the disk. On my disk, the first entry 
had only the details for the physical volume and volume group, and 
the next entry had the logical volume information. Look for the block 
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Listing 6. 


Listing 8. 


Modified Volume Group Configuration File 


VolGroup01 { 

id = "xQZqTG-V4wn-DLeQ-bJ0J-GEHB-4teF-A4PPBv" 
seqno = 1 

status = ["RESIZEABLE", "READ", "WRITE"] 
extent_size = 65536 

max_lv = 0 

max_pv = 0 


physical_volumes { 


pvO { 
id = "tRACEy-cstP-kk18-zQFZ-ErG5-QAIV-YqHItA" 
device = "/dev/md2" 


status = ["ALLOCATABLE"] 
pe_start = 384 

pe_count = 2365 

} 

} 


# Generated by LVM2: Sun Feb 5 22:57:19 2006 


Listing 7. 


Activating the Recovered LVM2 Volume 


[root@recoverybox ~]# vgcfgrestore -f VolGroup01 VolGroup@l 
[root@recoverybox ~]# vgscan 

Reading all physical volumes. This may take a while... 

Found volume group "VolGroup@1" using metadata type lvm2 

Found volume group "VolGroup00" using metadata type lvm2 
[root@recoverybox ~]# pvscan 

PV /dev/md2 VG VolGroup01 Ivm2 [73.91 GB / 32.00 MB free] 

PV /dev/hda2 VG VolGroup00 lvm2 [18.91 GB / 32.00 MB free] 

MO taileen2) a) 92niG Le GB eiiniuS ere. 201925, 8lGBil, eaintenonv Gea ONO) ] 
[root@recoverybox ~]# vgchange VolGroup0l -a y 

1 logical volume(s) in volume group "VolGroup@1" now active 
[root@recoverybox ~]# lvscan 


ACTIVE '/dev/VolGroup01/LogVol00' [73.88 GB] inherit 
ACTIVE '/dev/VolGroup00/LogVol00' [18.38 GB] inherit 
ACTIVE '/dev/VolGroup@0/LogVol01' [512.00 MB] inherit 


of text with the most recent timestamp, and edit out everything 
except the block of plain text that contains LVM declarations. This 
has the volume group declarations that include logical volumes infor- 
mation. Fix up physical device declarations if needed. If in doubt, look 
at the existing /etc/lvm/backup/VolGroup00 file to see what is there. 
On disk, the text entries are not as nicely formatted and are in a 
different order than in the normal backup file, but they will do. Save 
the trimmed configuration as VolGroup01. This file should then look 
like Listing 6. 

Once you have a volume group configuration file, migrate the volume 
group to this system with vgcfgrestore, as Listing 7 shows. 

At this point, you can now mount the old volume on the new system, 
and gain access to the files within, as shown in Listing 8. 

Now that you have access to your data, a prudent final step would 
be to back up the volume group information with vcfgbackup, as 
Listing 9 shows. 
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Mounting the Recovered Volume 


[root@recoverybox ~]# mount /dev/VolGroup01/LogVol00 /mnt 
[root@recoverybox ~]# df -h 

Filesystem Size Used Avail Use% Mounted on 
/dev/mapper/VolGroup00-LogVol00 


19G 4.7G 13G 28% / 
/dev/hdal 99M 12M 82M 13% /boot 
none 126M Och 0% /dev/shm 
/dev/mapper/VolGroup01-LogVol00 

73G 2.56 67G 4% /mnt 
# 1s -1 /mnt 
total 200 
drwxr-xr-x 2 root root 4096 Feb 6 02:36 bin 
drwxr-xr-x 2 root root 4096 Feb 5 18:03 boot 
drwxr-xr-x 4 root root 4096 Feb 5 18:03 dev 
drwxr-xr-x 79 root root 12288 Feb 6 23:54 etc 
dnwxr-xir=x 3 root root 4096 Feb 6 01:11 home 
drwxr-xr-x 2 root root 4096 Feb 21 2005 initrd 
drwxr-xr-x 11 root root 4096 Feb 6 02:36 lib 
GinWX = 2 root root 16384 Feb 5 17:59 lost+found 
drwxr-xr-x 3 root root 4096 Feb 6 22:12 media 
drwxr-xr-x 2 root root 4096 Oct 7 09:03 misc 
drwxr-xr-x 2 root root 4096 Feb 21 2005 mnt 
drwxr-xr-x 2 root root 4096 Feb 21 2005 opt 
drwxr-xr-x 2 Foot root. 4096 Feb 5 18:03 proc 
drwxr-x--- 5 root root 4096 Feb 7 00:19 root 
drwxr-xr-x DLOoOt Root 228SeRebm non 2237 esbiin 
drwxr-xr-x 2 root root 4096 Feb 5 23:04 selinux 
drwxr-xr-x 2 root root 4096 Feb 21 2005 srv 
drwxr-xr-x 2 foot root. 4096 Feb 5 18:03 sys 
drwxr-xr-x 3 root root 4096 Feb 6 00:22 tftpboot 
drwxrwxrwt 5 root root 4096 Feb 7 00:21 tmp 
drwxr-xr-x 15 root root 4096 Feb 6 22:33 usr 
drwxr-xr-x 20 root root 4096 Feb 5 23:15 var 


Listing 9. 


Backing Up Recovered Volume Group Configuration 


[root@teapot-new ~]# vgcfgbackup 

Volume group "VolGroup01" successfully backed up. 
Volume group "VolGroup00" successfully backed up. 
[root@teapot-new ~]# ls -1 /etc/lvm/backup/ 


total 24 

afijessosss 1 root root 1350 Feb 10 09:09 VolGroup0d 

S[fiiroreces 1 root root 1051 Feb 10 09:09 VolGroup@1 
Conclusion 


LVM2 and Linux software RAID make it possible to create economical, reli- 
able storage solutions with commodity hardware. One trade-off involved is 
that some procedures for recovering from failure situations may not be 
clear. A tool that reliably extracted old volume group information directly 
from the disk would make recovery easier. Fortunately, the designers of the 
LVM2 system had the wisdom to keep plain-text backup copies of the con- 
figuration on the disk itself. With a little patience and some research, | was 
able to regain access to the logical volume | thought was lost; may you 
have as much success with your LVM2 and RAID installation. 


Resources for this article: www.linuxjournal.com/article/8948. 


Richard Bullington-McGuire is the Managing Partner of PKR Internet, LLC, a software and systems consulting 
firm in Arlington, Virginia, specializing in Linux, Open Source and Java. He has been a Linux sysadmin since 
1994. You can reach him at rbulling@pkrinternet.com. 
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KIO makes it easy to access network 
storage from Konqueror and many vith 
other KDE KIO-enabled applications. 


bes Hall 


Kioslaves are out-of-process protocol handling 
plugins that let you access various services as 
though they were part of your local filesystem. 
They can be accessed through the Konqueror 
file manager and any standard file dialog in 
most KDE applications. The applications using 
Kio don’t need to be aware of how to access 


the remote host or device—the ioslave handles 
it all. This provides powerful and flexible net- 
work transparency for KDE applications. 

KDE includes a large range of basic 
kioslaves. Some KDE add-on applications 
install their own. You can add new kioslaves 
at any time, and all KDE KIO-aware applica- 
tions will work with them. If you use 
Konqueror as a Web browser, you're already 
using KIO, as the HTTP, HTTPS and FTP protocols 
are implemented as kioslaves. 
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Illustration by andyhair 


The KDE fish kioslave provides a graphical interface for manipulating files 
over Secure SHell (SSH). Fish should work with any POSIX-compliant UNIX 
providing it has a Bourne-compatible shell as /bin/sh and basic file manipu- 
lation utilities like cat, chgrp, chmod, chown, cp, dd, env, expr, grep, Is, 
mkdir, mv, rm, rmdir, sed and we. If Perl is available, it is used instead. In 
that case, only env and /bin/sh are needed out of the list above, and using 
Perl has the advantage of being much faster. I've used fish to log in to 
Linux, FreeBSD, Mac OS X and Solaris with equal success. 

Most of what is discussed in this article holds true of the ftp and 
sftp kioslaves as well, which present much the same interface to the user. 

Here, |’d like to use fish to log in to my Apple Macintosh computer to 
grab some files and copy them locally. Because it's running a variant of 
UNIX with env and Perl and has sshd running, fish will work with it just 
fine. To log in to a remote host, type: 


fish: //username@host 


into the Konqueror address bar. If your remote sshd is listening on a 
custom port, you can specify this at the end of the URL: 


fish://username@host:9999 


If this is the first time you've tried to connect to this host over SSH, 
Konqueror brings up a dialog noting that it cannot verify the authenticity 
of the host and asks for your input to proceed. Select Yes to indicate that 
you want to continue connecting to this host. SSH then caches the finger- 
print of this host in your ~/.ssh/known_hosts file. 

Unless you have SSH keys set up for passwordless login, Konqueror 
shows a dialog asking you to enter your password. Ticking the box Keep 
password saves the password into your KWallet. This can be very conve- 
nient if you plan to access this host often. 

Now I'm logged in and looking at my home directory on the remote 
host. | need to find the image | want out of the image files stored here. 
With the size of my digital photograph library, none of the images are 
named descriptively, and unfortunately, without being able to look at the 
images, | really have no idea which is the one | want. 

One of the areas where fish really shines is the way it lets you preview 
remote files in much the same way you would preview local ones. KDE's 
preview mechanism is flexible and powerful, enabling you to see previews 
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Figure 1. KDE's ability to display previews over remote protocols makes finding 
the file you want a breeze. 
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Figure 2. The Kate Open File Dialog, Displaying a Remote Location over Fish 


of images, PDF files, fonts and office documents as well as listen to 
previews of audio files. 

To enable previews over fish, select Configure Konqueror... from the 
Konqueror Settings menu. Navigate to Previews & Meta-Data in the dialog 
that appears. Under Internet Protocols, tick the box next to fish. Adjust 
the slider beneath Maximum file size to a sane value for the speed of the 
connection you're using. If you’re accessing hosts over the Internet, you 
probably don’t want Konqueror to attempt to generate thumbnail images 
of 100MB TIFF files. Click OK and you're done. 

To fine-tune exactly the specific file types for which you want to see 
previews, look under Preview in the View menu. Here you can enable vari- 
ous file types for showing previews, and also quickly toggle between 
enabling and disabling previews globally. If you had a Konqueror window 
open while adjusting these settings, you may need to click reload before 
you see any changes. 

Now | can see previews of my images, and I've found the one | want. 
| can drag and drop it to an open Krita window for editing and save my 
changes afterward directly to the remote host. Or, | simply could copy the 
file locally for further processing, also using drag and drop. 

Fish lends itself well to the simple maintenance of remote Web 
sites. Tasks like moving, renaming and changing permissions on 
remote files are easy when you approach them from Konqueror'’s 
familiar file management interface. 

Changing permissions for files on a Web server is a common task. 
Often the default permissions on files created on your Linux box can 
be too restrictive and result in a Forbidden error message when people 
try to access the files over the Web. To change the permissions of a 
file over fish, right-click on the file and select Properties. On the 
Permissions tab choose Can read for both Group and Other permis- 
sions, and click OK. If you were changing permissions for a CGI, you 
also would tick the box labeled is executable. 

In KDE 3.5, Kate gained the ability to save a working set of documents 
as a session to be resumed easily again later. When coupled with fish, this 
makes, for me at least, the ultimate Web development environment. 

To open up all of the HTML, CSS and other files associated with my 
Web site in Kate, | can drag and drop them from an open Konqueror win- 
dow showing me a fish session to the remote host. Dragging and dropping 
multiple files in this way causes them to be opened as separate files that | 
can navigate between in the Documents pane. 

If you prefer to use a more GUl-oriented Web development tool rather 
than editing files manually in Kate, the full-featured integrated Web devel- 
opment environment, Quanta Plus, is also KIO-enabled. 

You can use the FileOpen dialog to take advantage of KIO network 
transparency. All standard KDE file dialogs have support for kioslaves. To 
load files over fish, select Open from the File menu. In the location bar at 
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the top of the file dialog, type your fish URL: 
fish: //canllaith@canllaith.org 


Navigate to where the files associated with your Web site or where 
other projects are kept, and open the files you want to be a part of 
the session. To open multiple files at once, hold down the Ctrl key and 
click once on each file you want to open. When you're finished select- 
ing files, click Open. 

If you plan to access this remote host often, you can add a short- 
cut to the icon bar on the left of the dialog. Choose the directory to 
which you want the shortcut to point, and drag it to the icon bar. You 
can edit the name, icon and other attributes of this shortcut by right- 
clicking on it and selecting Edit Entry. 

Once Kate has loaded the files you want to save as a session, 
select Save As from the Sessions menu. Enter a name for your new 
session—as I'm saving various files relating to my Web site, | call my 
session canllaith.org. 

In the future, when you want to load this set of remote files quick- 
ly, you can choose the saved session from the Sessions menu. | use 
this tool time and time again. At the end of a day of working ona 
Web site and opening various remote files from all over the directory 
tree, | simply save them as a session with the date and a short descrip- 
tive name. Next time, remembering where | left off and what files | 
was working on is a little bit easier. 


Samba 

The smb kioslave included with KDE lets you browse Microsoft Windows 
smb file shares. It requires that you install libsmbclient. If you navigate to 
smb:/ in Konqueror (or use the nifty Alt-F2 shortcut described below), you 
will be shown any Windows workgroups found, and you can browse 
through them for the host you want. You also can specify a host or a spe- 
cific share of a host directly with: 


smb: //username@hostname/share 


Like fish, if you don’t specify a user name, Konqueror prompts you for 
a user name and password pair that you can save with KWallet. If you 
always use a particular user name/password pair on your Samba network, 
rather than having to save passwords individually for every host you access, 
you can configure this to be supplied automatically by KDE. In the KDE 
Control Center, navigate to Internet & Network->Local Network Browsing. 
Here you can enter the default user name and password pair you want 
KDE to use for its Samba client. 

As well as adding shortcuts to the File dialog, you also can add desktop 
shortcuts to hosts you want to access frequently. To create a desktop 
shortcut to an smb URL, right-click on the KDE desktop and select Create 
New-=Link to Location (URL)... from the context menu. Fill in the smb:// (or 
fish) URL to the share to which you want to create the shortcut in the box 
labeled Enter link to location (URL):. KDE fills in the filename box with a 
suitable name, or you can choose your own. Click OK and you're done. 

As well as accessing kioslaves through the Konqueror address bar and 
KDE standard file dialogs, you can load kioslaves quickly with the KDE Run 
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Figure 3. Creating a Desktop Shortcut for a Location Accessible over Samba 
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Figure 4. The locate kioslave shows the results of the query “kio” in my home directory. 


Command box. Try pressing Alt-F2 to bring up the Run Command box, 
and type help: /kwrite. A Konqueror window is launched showing you 
the KWrite Handbook. This works with all kioslaves and is a handy way of 
looking up help pages or loading a remote URL quickly, if, like me, you 
tend to have a rather cluttered screen. 

Many other interesting kioslaves are included with KDE, and you can 
download other third-party efforts from kde-apps.org as source code that 
can be compiled against a recent KDE version. To find them, search for 
“kio” on the KDE-apps.org search page. If you want to compile the 
kioslaves you've downloaded, you need to have a working C++ compiler 
and the appropriate development libraries for KDE and Qt installed. Usually 
these are packaged separately from the KDE runtime libraries. 

To find out which kioslaves you have installed, type help: /kioslave 
in the Run Command box or the Konqueror address bar. This is the 
KDE help kioslave, which lets you access the help documentation for 
installed KDE programs through Konqueror. Some of the more inter- 
esting kioslaves include: 


® cgi: this kioslave executes CGI programs without needing to have a run- 
ning Web server. It is really handy for off-line local testing of CGI scripts. 


@ locate: Kubuntu includes kio-locate by default, and you can download 
the sources for other distributions from KDE-apps.org. kio-locate is 
a kioslave for locate or slocate. Typing locate: query term into any 
KlO-enabled field displays the results from the locate database. This is 
immensely convenient when combined with the File dialog. Want to 
open that budget spreadsheet in KSpread, but you realise you can’t 
quite remember where you saved it until after you've launched the 
application? Without having to leave the File dialog, locate: / comes 
to the rescue. 


™@ tar: this kioslave allows you to browse the contents of tar, tar.oz2 and 
tar.gz archives. It’s registered as the default handler for these files within 
KDE. This lets every KDE application handle loading and saving files to 
archives transparently without needing to extract them. With previews 
enabled, it's easy to find the single file that you want out of the hun- 
dreds or even thousands in the archive. 


™@ zip: this kioslave lets you browse the contents of zip archives, much like 
the tar kioslave does for tar archives. 


@ info/man: the info and man kioslaves provide a friendly interface to 
reading man and info pages. The info kioslave in particular makes navi- 
gating pages much easier with a mouse-driven browser interface that's 
more simple to use than the command-line tool. 


® audiocd: this kioslave provides a simple interface for ripping and encoding 
files from music CDs to Ogg, MP3 or flac using drag and drop. 


Konqueror is an application with amazing flexibility as both a Web 
browser and file manager, due mostly to its extensibility with kioslaves. The 
kioslaves featured above are barely the tip of the iceberg. Experiment with 
those listed in help: /kioslave to see what else Konqueror can do.@ 


Jes Hall is a KDE developer from New Zealand who is passionate about helping open-source software 
bring life-changing information and tools to those who would otherwise not have them. She welcomes 
comments sent to jhall@kde.org. 
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YELLOW DOG LINUX 


INSTALLS ™@ 
NEATLY 
ON AN 


Forget bootable USB pendrives and 
use an iPod to boot Linux on a Mac. 
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Dave Taylor 


Pod 


THE CONCEPT'S GREAT: what would it be like to have a pocket-size 
device that | could plug in to just about any Macintosh and by simply 
rebooting the computer be running a full-blown Linux installation? There 
are oodles of Linux OSes for Intel architectures, of course, but the Mac, 
until very recently, has been built around the Motorola architecture, so the 
number of choices are rather fewer. 

One of the few Linux OSes for the PowerPC is called Yellow Dog, from 
Terra Soft Solutions, www.yellowdoglinux.com. It costs about $60 US for 
the install CDs and documentation or $30 US for the “geek edition” (that’s 
just the install CDs), or you can download it for free from the Web site. And, 
let me answer the obvious question: because Mac OS X already is a UNIX 
(basically FreeBSD with lots of added stuff, much of which you can find in 
Darwin, www.apple.com/darwin), why bother with a Mac Linux? The 
answer is that although Mac OS X is a splendid mating of a UNIX operating 
system with all the graphical goodness of Apple's user interface design, it’s 
still not Linux. If you’re in a Linux environment and want to run KDE or 
GNOME, you don’t have to graft it onto Mac OS X if you can run a Linux 
designed for the Mac platform instead. Besides, isn’t it kinda cool anyway? 

Anyway, | had a spare Apple iPod, a first-generation 5GB device that 
worked via the FireWire interface rather than the more modern USB connec- 
ion, and | was assured by the folks at Yellow Dog that | could squeeze YDL 
into as small as 1GB. | have plenty of space on a 5GB device. Of course, | 
already had a gig of music and audio books | wanted to preserve, so the first 
est was to see if | could repartition the device to grab 3GB for Linux and 
eep 2GB for audio and iPod content. The perfect stealth Linux device, right? 

So, one afternoon | decided to take the plunge and hooked up my 
iPod to my PowerBook computer and inserted the first of the YDL 4.1 
install disks and restarted the Mac, holding down the C key to force the 
device to boot off the CD-ROM, not the internal hard disk. When prompt- 
ed, | typed in install firewire and away we went. 


Partitioning the iPod for YDL 

New to the 4.x version of Yellow Dog is the inclusion of the popular 
Anaconda graphical installer, which makes everything quite a bit easier. It 
lets you resize existing drive partitions to make space for the new operat- 
ing system. The new partitions also can be made bootable, which is a criti- 
cal component for the success of this project. 

Theoretically, partitioning should be pretty easy. | have a 5GB iPod 
FireWire device and am using just a wee bit more than 1GB of it for music. 
I'll resize the iPod drive to 2GB and have 3GB spare to repartition as an 
ext3 filesystem and be good to go. 

Well, that’s the theory, but it doesn’t quite work out that way. 

Part way through the install process, managed by Anaconda, | have the 
option of accepting an automatic partitioning scheme or using Disk Druid to 
work with my disk partitions manually. | take the latter path and am glad to see 
that one of the drives is identified as “Drive /dev/sda (4769MB) Model: Apple 
iPod”, so there's no worry that I'll accidentally reformat or resize my laptop 


drive, which would be quite ungood. To resize the iPod drive, | simply choose 
that partition and click Edit in the Disk Druid, and then specify that | want it to 
be 2,000MB rather than 4,769MB (which should give me 2.7GB for Linux). It 
promptly recalculates that to be 1,999MB and within about 90 seconds 
rebuilds the iPod disk partition, leaving a big chunk of space unallocated. 

Here’s where | get into trouble, because I’m a UNIX geek who is sure 
that | can proceed without reading any darn manual or instructions. Yeah, 
even Terra Soft expects this and has a note in the installation guide (which 
| didn’t read until afterward, of course) saying, “User error is common. Not 
because people lack intelligence, but because people are smart and too 
determined to jump into their new operating system without reading the 
Guide to Installation. Especially those of you who are Linux Experts—you 
know who you are!” Yeah, yeah, yeah. 

Fortunately, the trouble ate up only time, and didn’t corrupt anything. 
Basically, although | figured that | simply could create one partition that was 
all the available space, Disk Druid wouldn't let me proceed without also cre- 
ating an Apple Boot partition, and then, after | figured that out (the Apple 
Boot partition is instead of ext3, and not the same as the /boot mountpoint 
for an ext3 partition), it also insisted | create a swap partition too. 

More than once it complained, and | had to back up and resize the 
new partition down, then create an additional partition, but, finally, here's 
where | ended up (Table 1). 


Table 1. Partition Breakdown 


Partition Size File Type Mountpoint 


sda3 foreign 


2000MB 


| sda4 


sda5 


“sa 


If you're paying attention, you'll see that the swap space is really too small. 
You should have at least the same swap space as your physical memory, and 
typically 1.5x is a better size for performance reasons. Because | have 756MB of 
RAM, that means | should have at least a 756IMB swap space. Oh well. | indicat- 
ed that | was okay with a nonrecommended size and proceeded anyway. 

Elapsed time: 1 hour. 


Basic Network Configuration and Installation 

After dancing the Disk Druid dance for almost an hour, it was a distinct plea- 
sure to get to a prompt asking about DHCP and network configuration. | 
picked all the basic defaults, except | skipped configuring a firewall. It didn’t 
like that, but let me proceed after giving me a little lecture on system security. 

As | originally chose a Personal Workstation configuration, it meant that 
my default package set was X Window System + KDE + OpenOffice.org + 
Mozilla + Evolution + IM tools + games. Not good. Why? Because my disk 
partition was 367MB too small. 

Going back to the proverbial drawing board, | started trying to pull 
out individual applications, guessing how much each one would take of 
the installation. It's amazing, really, after all these years, that Anaconda 
doesn't indicate how big each package is when you're trying to navigate 
through it. Instead, | piddled around removing Gaim (a multi-IM utility) 
to save 41MB; XChat (an IRC client) to save 5MB; all the sound and 
video applications (saving 57MB); all the graphics applications, including 
The GIMP and ImageMagick (saving 100MB); and the KDE component 
kdegraphics (saving 26MB). | attempted to re-install, and wouldn't you 
know it—still too big, by 185MB. 

As you might expect, this was pretty tedious. But when | dug 
around in the Office Utilities area, | was amazed and delighted to see 
that the support package openoffice.org-18n (a package with lots of 
localization libraries for OpenOffice.org) was a whopping 668MB in 


size. Because | didn’t envision that I'd be editing documents in German, 
Hebrew or Kanji, | happily deleted it and re-added all the individual 
apps l’d deleted earlier. | even threw in kdegames, eating up 23MB, but 
hey, who doesn’t like games? 

Finally, 75 minutes after | started the process, | actually was able to pro- 
ceed with the full installation. It took 18 minutes before | saw “installation 
finished”, which | attribute to the fact that the iPod FireWire drive is slower 
to access than the internal hard drive in the PowerBook. 


Reboot and Be Happy 
| held down the OPTION key on the keyboard during the boot sequence to 
be able to access the Yellow Dog Linux OS as an alternative to the Mac OS 
X on my main PowerBook drive. After about 60 seconds of hunting for 
options, it showed me both Mac OS X Tiger and Yellow Dog Linux. Eureka! 
| selected YDL, clicked on the continue button (an arrow) and then was 
in the yaboot program, where | pressed L for Linux and sat back. Lots of 
status information scrolled past, including the information that ethO (the 
built-in Ethernet port) failed to initialize, which made sense as | wasn’t 
hooked up to a network. Otherwise, | was soon looking at the attractive 
KDE login window, to which | typed in my new user account information 
that I'd specified seconds earlier in the first boot utility. 

| then was prompted to select display specifics and was pleased to see 
that one of the display manufacturers listed was Apple. Scrolling down the 
long, detailed list, | found the right match: “Apple Titanium PowerBook 
G4" and accepted the defaults for that display. 

The next step was particularly satisfying, as it asked about audio hard- 
ware configuration and worked with the default settings. Previously, when 
| had installed an earlier version of YDL on the PowerBook, the audio sub- 
system had failed, never to work again—a valuable upgrade by itself. 

Once the setup was done for KDE, | was running in a full-blown 
Linux/KDE environment, with all the applications, utilities and games | 
could want. It was fast, smooth and quite a delight to have a different 
desktop and user environment on my system. 

But, | wanted to test and ensure that everything still worked properly, 
so | shut down YDL, and sat looking at a dark screen, realizing that 
there was really no way to know when it had completed its shutdown. 
Fortunately, | also was watching the iPod screen, and once the system fin- 
ished shutting down, the iPod switched from “do not disconnect” to an 
Apple logo, and then rebooted into iPod mode. 

Indeed, the iPod works perfectly. All my audio files remained intact, 
and now when | go to the System Information area on the iPod, it 
shows that the storage capacity of the unit is 1.96GB rather than the 
earlier 5GB value. Perfect! 

Everything unplugged, | restarted the PowerBook and was gratified to 
watch it quickly and easily restart in Mac OS X, without any indication that 
I'd installed anything unusual, touched any hard drives or restarted in a 
foreign OS just a few minutes earlier. 

Success! 


And in the End 

Alright, it’s geeky, but | think it’s way cool to have an iPod that can boot 
any G4 Mac into a full Linux work environment with only a few keystrokes. 
If you need Linux functionality and don’t want to touch your existing Mac 
OS X systems, this can be a great solution, and you don’t even lose the 
functionality of your iPod along the way. Indeed, a quick search on eBay 
shows that you can pick up one of these ancient 5GB iPod units for less 
than $60 US, on average. 

There are some caveats about this installation, however, particularly 
regarding the very latest iPod systems, which have a slightly different 
filesystem. If you are going to proceed with this, don’t follow my lead but 
start on the Terra Soft site and read the hardware and configuration notes. 
It'll save you a lot of heartache down the road.™ 


Dave Taylor has been involved with the UNIX community since 1980 and was the original author of The Elm 
Mail System. He's written 20 books, including Teach Yourself Unix in 24 Hours and Wicked Cool Shell Scripts. 
He invites all true Linux fans to visit his Weblog at www.askdavetaylor.com. 
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SSHFS 


Super Easy 
File Access 
over SSH 


Matthew E. Hoskins 


Tools like scp, sftp and rsync allow us to copy files easily and securely 
between these accounts. But, what if we don’t want to copy the files 
to our local system before using them? Normally, this would be a good 
place for a traditional network filesystem, such as NFS, OpenAFS or 
Samba. Unfortunately, setting up these network filesystems requires 
administrator access on both systems. 
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Luckily, as long as you have SSH access, you can use SSHFS to mount and 
use remote directory trees as if they were local. SSHFS requires no special 
software on the remote side, just a modern SSH server with support for the 
SFTP extension. All modern Linux distributions support this extension, which 
was added to OpenSSH in version 2.3.0, released in November 2000. 


ILLUSTRATION BY JEFFREY WONG 


SSHFS is built upon the FUSE user-space filesystem framework project. 
FUSE allows user-space software, SSH in this case, to present a virtual 
filesystem interface to the user. This is similar to how the /proc and /sys 
filesystems present kernel internals in the form of files in a directory tree. 
SSHFS connects to the remote system and does all the necessary opera- 
tions to provide the look and feel of a regular filesystem interface for 
remote files. 


Installing SSHFS and FUSE 
lam using Fedora Core 4 on the workstation where | will be mounting 
the remote directories. The remote system is also Fedora Core 4, but 
any *NIX system running a modern SSH server with the SFTP extension 
will work. Your Linux kernel also must have the user-space filesystems 
feature enabled, either built-in or as a module. 

All the software required for SSHFS is available as packages installable 
with yum for Fedora Core 4. Simply run: 


$ yum install fuse-sshfs 


This installs SSHFS, FUSE and the fuse-lib dependencies automatically. 
You also can build SSHFS from source, but more on that later. 

Before you can use SSHFS or any other FUSE-based filesystem as a 
nonroot user, you must first add those users to the fuse group. In my case, 
my user name is matt. This can be done from the command line as root 
with the command: 
$ usermod -a -G fuse matt 

The fuse group lets you limit which users are allowed to use FUSE- 
based filesystems. This is important because FUSE installs setuid pro- 
grams, which always carry security implications. On a highly secured 
system, access to such programs should be evaluated and controlled. 

After installing and configuring the software, we are ready to give 
it a whirl. To demonstrate the basic functionality, | will make a connec- 
tion to a remote system called my.randombox.com. The default opera- 
tion for SSHFS is to mount the remote user’s home directory; this is 
the most common use of SSHFS. Just like mounting any other filesys- 
tem, you need an empty directory called a mountpoint under which 
the remote filesystem will be mounted. | create a mountpoint named 
randombox_home, and then invoke the sshfs command to mount the 
remote filesystem. Here is how it's done: 


$ cd $HOME 

$ mkdir randombox_home 

$ sshfs  matt@my.randombox.com: randombox_home 
matt@my.randombox.com’s password: *****#*#*###* 
$ ls -1 randombox_home/ 


- FWP ona 1 matt users 7286 Feb 11 08:59 sshfs.article.main.txt 
drwx------ 1 matt users 2048 Mar 21 2001 projects 

drwx=++<== 1 matt users 2048 Dec 1 2000 Mail 

drwxr-xr-x 1 matt users 4096 Jun 8 2002 public_html 


$ cp ~/my_web_site/index.html randombox_home/public_html/ 


That's it. My home directory on my.randombox.com is now mounted 
under the directory randombox_home on my local workstation. In the 
background, FUSE, SSHFS and the remote SSH server are doing all the 
legwork to make my remote home directory appear just like any other 
local filesystem. If you want to mount a directory other than your 


home directory, simply put it after the colon on the sshfs command 
line. You even can specify / to mount an entire remote system. You 
will, of course, have access only to the files and directories for which 
the remote user account has permission. Everything else will get 
“Permission denied” messages. An example of this is shown below: 


$ cd $HOME 
$ mkdir randombox_slash 

$ sshfs matt@my.randombox.com: / 
matt@my.randombox.com’s password: 
$ ls -1 randombox_slash/ 

total 0 
drwxr-xr-x 


randombox_slash 


1 root root 4096 Nov 15 10:51 bin 
drwxr-xr-x 1 root root 1024 Nov 16 07:11 boot 
drwxr-xr-x 1 root root 118784 Jan 26 08:35 dev 
drwxr-xr-x 1 root root 4096 Feb 17 10:37 etc 
drwxr-xr-x 1 root root 4096 Nov 29 09:30 home 
drwxr-xr-x 1 root root 4096 Jan 24 2003 initrd 
drwxr-xr-x 1 root root 4096 Nov 15 10:53 lib 
drwxs=s4:55 1 root root 16384 Nov 11 10:21 lost+found 
drwxr-xr-x 1 root root 4096 Nov 11 10:38 mnt 
drwxr-xr-x 1 root root 4096 Jan 24 2003 opt 
dr-xr-xr-x 1 root root © Jan 26 08:11 proc 
drwx------ 1 root root 4096 Mar 3 09:34 root 
drwxr-xr-x 1 root root 8192 Nov 15 13:50 sbin 
drwxrwxrwt 1 root root 4096 Mar 5 18:41 tmp 
drwxr-xr-x 1 root root 4096 Nov 11 10:55 usr 
drwxr-xr-x 1 root root 4096 Jan 20 08:16 var 

$ cat randombox_slash/etc/shadow 

cat: randombox_slash/etc/shadow: Permission denied 
$ 1s -1 randombox_slash/root/ 

ls: reading directory randombox_slash/root/: Permission denied 
total 0 

$ 1s -1 randombox_slash/home/matt/ 


*FW-Pass 1 matt users 7286 Feb 11 08:59 sshfs.article.main.txt 
drwx------ 1 matt users 2048 Mar 21 2001 projects 

OrWX=--- 1 matt users 2048 Dec 1 2000 Mail 

drwxr-xr-x 1 matt users 4096 Jun 8 2002 public_html 


$ 


Automating the Connection 

As you can see from the above examples, | needed to type my pass- 
word to complete the SSH connection to the remote system. This can 
be eliminated by creating a trust relationship between the local and 
remote user accounts. This is not appropriate in all situations, because 
it essentially makes the accounts equivalent from a security perspective. 
Any malicious activity on one account can spread to other systems via 
the trust, so take caution and fully understand the implications of set- 
ting up trust relationships. To begin setting this up, you need to create 
an SSH key pair, which consists of public and private key files named 
id_rsa and id_rsa.pub, respectively. 

The public key is copied to the remote system and placed in the 
$HOME/.ssh/authorized_keys file. Some systems may use the filename 
authorized_keys2 in addition to or instead of authorized_keys. 

This allows any user in possession of the private key to authenticate with- 
out a password. We create the key pair using the command ssh-keygen. The 
files are placed in the proper locations automatically on the local system in the 
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Figure 2. GNOME automatically mounts the remote directory. 


$HOME/.ssh directory. Because we already have my remote home directory 
mounted, appending the public key to the authorized_keys file is extra easy. 
Below are all the steps required (assuming you created the equivalent of the 
randombox_home directory and mounted it): 


$ cd $HOME 

$ ssh-keygen -t rsa 

Generating public/private rsa key pair 

Enter file in which to save the key (/home/matt/.ssh/id_rsa): <ENTER> 
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Enter passphrase (empty for no passphrase): <ENTER> 

Enter same passphrase again: <ENTER> 

Your identification has been saved in /home/matt/.ssh/id_rsa. 

Your public key has been saved in /home/matt/.ssh/id_rsa.pub. 

The key fingerprint is: 
fa:e7:7c:e1:cb:7b:66:8b:67:07:05:99:7f:05:b9:4a matt@myworkstation 
$ mkdir randombox_home/.ssh 

chmod 700 randombox_home/.ssh 

cat .ssh/id_rsa.pub >> randombox_home/.ssh/authorized_keys 
chmod 600 randombox_home/.ssh/authorized_keys 


A A 


In the above example, we create the key pair with an empty 
passphrase, then append the public key to the authorized_keys file in the 
remote home directory and set the permissions. After this is done, | no 
longer need to type the password when connecting to the remote 
account. To test this, first we unmount the remote home directory with the 
following command: 


$ fusermount -u randombox_home 


To test the trust relationship, we can try to run the uptime command 
on the remote system: 


$ ssh matt@my.randombox.com uptime 
12:20:40 up 38 days, 4:12, 0 users, load average: 0.11, 0.04, 0.01 

Good, no password needed. The trust relationship is working properly. 
If you have trouble getting this trust relationship to work, check the per- 
missions on the files in .ssh on both systems. Many times lax permissions 
prevent SSH from using key files. Also, take a look at the syslog log files. 
OpenSSH'‘s sshd server logs messages into syslog, which often are helpful 
in diagnosing key file problems. You may have to increase the logging ver- 
bosity level in the sshd_config file, usually found in /etc/ssh/. 

You also can debug the connection by running ssh in the above 
example with the -vw option to turn up verbosity. Now, let's mount the 
remote directory again. This time it does not prompt for my password: 


$ cd $HOME 

$ mkdir randombox_home 

$ sshfs | matt@my.randombox.com: randombox_home 

$ 1s -1 randombox_home/ 

aWal Sees 1 matt users 7286 Feb 11 16:33 sshfs.article.main. txt 
drwx------ 1 matt users 2048 Mar 21 2001 projects 

drwx-++-=< 1 matt users 2048 Dec 1 2000 Mail 

drwxr-xr-x 1 matt users 4096 Jun 8 2002 public_html 


Integrating with the GNOME Desktop 
In the last example, we configured and automated non-interactive mount- 
ing of a remote directory. Because we're no longer being prompted for a 
password, we can integrate SSHFS mounting into scripts, or better yet the 
GNOME desktop. To configure GNOME to mount our remote home direc- 
tory automatically, we configure the SSHFS mount command as a session 
startup program. This is done from inside the Sessions preferences dialog. 
Navigate to Desktop—>Preferences—>More Preferences—>Sessions—>Add, 
and fill in the dialog as shown in Figure 1. 

Upon the next login, GNOME automatically mounts the remote directory 
for me, as you can see in Figure 2. 


Note that GNOME does not reliably kill this command upon exiting 
the session. You can unmount the remote directory manually using the 
fusermount -u randombox_home command. Another option is to auto- 
mate the unmount by modifying the $HOME/.Xclients-default file to run 


the fusermount command as follows: 


#!/bin/bash 
# (c) 2001 Red Hat, Inc. 


WM="gnome-session" 
WMPATH="/usr/bin /usr/X11R6/bin /usr/local/bin" 


# Kludged to run fusermount upon gnome logout. 
for p in $WMPATH ; do 


[ -x $p/$WM ] && $p/$WM; fusermount -u randombox_home; exit 0 


done 


exit 2 


Be aware that the .Xclients-default file is rewritten every time you run the 
switchdesk utility. You have to modify this file every time you use use the 


switchdesk utility to change your default desktop 
windowing manager. 

Finally, you can add the appropriate sshfs 
commands in the boot startup file that is appro- 
priate for your distribution. This way, your system 
will mount all the SSHFS directories automatically 
each time you boot your desktop. 


Building SSHFS from Source 

If your particular Linux distribution does not 
prepackage SSHFS, or if you simply want to build 
it from source, this also is pretty easy. First, confirm 
that you have installed whatever files or packages 
are required for kernel module development. You 
need these to build the FUSE kernel module. Then, 
download the latest source tarballs for both FUSE 
and SSHFS from SourceForge (see the on-line 
Resources). Place the downloaded tarball files in a 
temporary directory, then build and install using 
the following commands in that directory: 


$ tar -xzf fuse-2.5.2.tar.gz 
$ cd fuse-2.5.2 

$ ./configure --prefix=/usr 
$ make 

$ su -c "make install" 

$ cd) os 

$ tar -xzf sshfs-fuse-1.5.tar.gz 
$ cd sshfs-fuse-1.5 

$ ./configure --prefix=/usr 
$ make 

$ su. -c "make install" 


After everything is installed, you are ready to 
perform any of the examples presented previously. 
After installation, the sshfs and fusermount com- 
mands are installed in /usr/bin. 


20060301-MEH 


Conclusion 

SSHFS and FUSE allow any remote storage to be mounted and used just 
like any other filesystem. If you can log in with SSH, you have all the access 
you need. 

As | said earlier, FUSE is a framework for creating user-space filesys- 
tems. SSHFS is only the tip of the iceberg. There are FUSE-based filesystems 
to encrypt your files (EncFS) transparently, browse Bluetooth devices (BTFS) 
or mount a CVS repository as a filesystem (CvsFS). Perhaps you were won- 
dering what to do with all that free space in your Gmail account? Well, 
GmailFS allows you to mount your Gmail account and use it like a local 
filesystem. See the FUSE Web site for these and more great projects, or 
perhaps you would like to write your own. FUSE has language bindings for 
Perl, Python, TCL, C, C#, Ruby and others. 


Resources for this article: www.linuxjournal.com/article/8943. 


Matthew E. Hoskins is a Senior UNIX System Administrator for The New Jersey Institute of Technology 
where he maintains many of the corporate administrative systems. He enjoys trying to get wildly different 
systems and software working together, usually with a thin layer of Perl (locally known as “MattGlue”). 
When not hacking systems, he often can be found hacking in the kitchen. Matt is a member of the Society 
of Professional Journalists. He is eager to hear your feedback and can be reached at matt@njit.edu. 
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INDEPTH 


An Introduction to Gambas 


If you think Visual Basic is almost useful, here’s a way to almost get it on Linux. 


MARK ALEXANDER BAIN 


Have you ever wanted to use Visual Basic on Linux? Why? Well, you 
could be like me and have spent many years programming in VB, but want 
to move to Linux without having to learn a new language. It could be that 
you're brand new to programming and need something you can learn 
quickly and easily—and still be able to produce a good quality application. 

Well, now you can—almost. 

Gambas is short for Gambas is—almost—Basic, and it has been 
designed to look at the good things VB can do for Windows and then 
does them for Linux. Above all, Gambas is easy to use—as this article 
shows. | explain how to build a useful application in Gambas—a bug- 
tracking system that stores its information in a MySQL database. 

Installation is simple. First go to the Gambas Web site, and check the 
Distributions & OS page—this is just to make sure there are no known 
peculiarities with your flavour of Linux. Then, go to the Download page 
and get the most current, stable version (1.0.9 at the time of this writing). 
If you've done this type of thing before, simply carry on and get yourself 
ready to use Gambas; if not, don’t worry—we're nearly there. 

Open a terminal and move to the directory where you've saved the 
bz2 file. If you're going to use 1.0.9, it will be called gambas-1.0.9.tar.bz2. 
Now bunzip2 the file, and follow the installation instructions (unless 
the distribution page has given you some additional parameters for 
your distribution). 

With that, you’re ready to use Gambas. Type gambas on the 
command line, and the welcome screen appears (Figure 1). 

The Gambas screen gives you access to example applications—you'll 
find these very useful if you are new to programming. In this case, click on 
New Project. Gambas now displays its project creation wizard, so follow the 
instructions to create your first project. When asked, create a graphical pro- 
ject, set the name to bugTracker (note that underscores are not allowed), 
and then set the title to Bug Tracker. You also will be asked where to store 
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Figure 1. The Gambas Welcome Screen 
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your project. | suggest you create a new directory called Gambas in your 
home directory and then use it for all future projects as well. 

Next, we jump straight in to the creation of a new form. Right-click in 
the project window, select New and then Form. Gambas puts you into its 
form creation wizard. All you need to do now is give the form a name— 
call it frmBugTracker. (Don’t leave it as Form1. That's very bad practice.) 

Now, you can start adding the elements to the form—and, the first 
one to add is a Close button. Why do this first? Quite simply, you 
always want to be able to close a form, or an application, for that mat- 
ter, cleanly and easily, so get into this habit as quickly as possible. To 
create the button, click on its icon in the toolbox (the icon is a box 
with OK on it), and then use the left-mouse button to draw it onto the 
form. By default, the button is called Button1, but exactly like the 
form, we rename it. Click on the button, and press F4 to display the 
Properties box. Change its name to btnClose and its text to Close. 

The button won't do anything yet—we have to add some code to 
it, which is really, really easy. If you double-click on the button, Gambas 
takes you to the code window, and you'll find an empty 
btnClose_Click subroutine. Modify it so that it says: 


PUBLIC SUB btnClose_Click() 
ME.Close 
END 


You should notice something as you type in the code—as soon as 
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Figure 2. Designing a New Gambas Form 
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you put in the period, a drop-down menu appears, giving you all of 
the methods and parameters associated with the ME object—in this 
case, ME refers to the form, so ME.Close means close this form. 

Suppose you want to see the results of your hard work now. Go to 
the Project window and click on the little green run button. And there 
you are—your first Gambas application. You even can close the form 
with your brand-new button. 

Before building the application itself, we need to think about what 
we want the bug tracker to do. Then, we need to have a look at the 
data—how it is to be arranged, and what is going to be stored. 

The bug tracker will have to do the following: 


@ Have the details of new bugs entered. 

@ Record who raised the bug. 

® Have a bug assigned to a programmer. 

™ Update the status of the bug. 

@ Record when the bug was raised. 

™@ Record the release for the bug fix. 

@ Provide the ability to view new, working and complete bugs. 
The data required is therefore: 

@ Who raised the bug. 

® Who is fixing the bug. 

™@ Bug details. 

@ Developer details: ID, first name, surname and user name. 


™® Bug Details: ID, description, date created, ID of raiser, ID of developer, 
status, release number and application details. 


From this, we can start building a database schema. Start by creating a 
file (Such as database_schemaz.sql) that we will use to create the database: 


/* 

First you must create the database. The listing 
table includes only the user ids for "raised by" 
and "coder". 

*} 

create database bugtracker; 


create table bugtracker.listing ( 
id int auto_increment primary key, 
details longtext, 

application_id int, 

release float, 

raised_by_id int, 

coder_id int, 

status_id int, 

created datetime, 

priority int, 

status Tmt); 


/* 
The coder table is simple but includes the user name. 
=} 
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create table bugtracker.coder ( 

id int auto_increment primary key, 
surname varchar (50), 

firstname varchar (50), 

username varchar (5@)); 

/* 

Finally you can create reference tables for storing 
application names and status titles. 
a 

create table bugtracker.application ( 
id int auto_increment primary key, 
name varchar (50)); 


create table bugtracker.status ( 
id int auto_increment primary key, 
title varchar(50)); 


/* 

With the tables created you can add a user account to 
the database for the bugTracker application to log 

on to. 

ad 

GRANT select,insert,delete,update ON bugtracker. * 

TO bugtracker@localhost IDENTIFIED BY 'mypassword'; 


/* 

Next you can start loading the data that will make 

the application work. The key information is the coder data. 
=} 


insert into bugtracker.coder (username,surname, firstname) 
values ('bainm','bain','mark'); 
f* 
Finally add some dummy data so that you can see 
the application working as soon as possible 
ai 
insert into bugtracker.application (name) 
values ('bugtracker'); 
insert into bugtracker.status (title) 
values ('new'); 
insert into bugtracker.status (title) 
values ('worked on'); 
insert into bugtracker.status (title) 
values ('rejected'); 
insert into bugtracker.status (title) 
values (‘completed’); 


Create the database by typing: 
mysql -uroot -p<root password> mysql < database_schema.sql 


So, with the database in place, it’s time to go back to Gambas to 
do some actual programming. 

Now that we've built and loaded data into the database, the first 
thing to do is to connect to it, so we can start communicating with it. 
Gambas makes this very, very easy for us. It comes with components, 
and all we have to do is tell the application to use the appropriate 
component for connecting to databases. We will have to do a little 
coding as well, but that is easy too. 

Go to the Project window, click on Project and then Properties. The 
Properties screen appears—click on the Components tab, and then 
check gb.db (Figure 3). 

Gambas now can use the component to communicate with the 
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Figure 3. Enabling the Data Access Component 


database. All we have to do is add a little bit of code, and we do this 
in a module, which is a file for storing code so that it is usable by an 
application in general and not just a single form. For instance, the 
Close function we already created was only for the one form. We want 
to create code that is accessible for any forms that we create. 

Right-click on the Project screen, click New and then Module. Gambas 
shows the Module Creation wizard. Just like the form and the button we 
made earlier, don’t leave the module name as Module’. Call it something 
useful. In this case, call it Data. Once you create it, you can start adding 
code to it. Create the variables that will be used for database access: 


PRIVATE myDB AS NEW Connection PUBLIC tmpRec AS Result 


If you've used VB, you'll be happy with the format. If you're new to 
this, just take note that the PUBLIC statement makes the variable glob- 
al—accessible to the whole application. If you don't want it to be avail- 
able to the whole application, define it as PRIVATE. 

The next (public) function makes the connection: 


PUBLIC FUNCTION connect2db() AS Boolean 
WITH myDB 
.Type = "mysql" 
-Host = "localhost" 


.Login = "bugtracker" 
.Password = "mypassword" 
-Name = "bugtracker" 

END WITH 


TRY myDB.Open 
IF ERROR THEN 
Message ("Cannot Open bugtracker:" & Error.Text) 
RETURN FALSE 
END IF 
RETURN TRUE 
END 


PUBLIC FUNCTION Exec(sql AS String) AS Result 
RETURN myDB.Exec(sql) 
END 


We can call these functions from any form that we create. In this 
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case, we call them from frmBugTracker. Double-click on frmBugTracker 
in the Project window, and then double-click anywhere on the form 
itself. This takes you into the code window, and you should see: 


PUBLIC SUB Form_Open() 
END 


Now we add code to tell the form to connect to the database, and 
we also add a function to carry out a simple security check: 


PUBLIC SUB Form_Open() 
Data.connect2db 


IF (check_id() = FALSE) THEN 
message ("Unable to log on as " & system.user) 
ME.close 
END IF 
END 


PRIVATE FUNCTION check_id () AS Boolean 
data.Exec("select id" & 
"from coder" & 
"where username='" & system.user & "'") 
IF (data.tmpRec.Available ) THEN 
RETURN TRUE 
ELISE 
RETURN FALSE 
END IF 
END 


If you run the project now, little will have changed, apart from the 
fact that it will take a little longer to load—it now has to connect to 
the database. However, the form will check the user's Linux user ID 
against the list of coders on the database using the function check_id. 
It displays a message and then closes the form if the ID is missing. 

Next (keeping it simple), we create a pair of combo-boxes. One 
(cmdBugld) displays the list of bug IDs assigned to the current user. The 
other (cmdStatus) displays a list of the possible statuses. We then add a sub- 
route (loadCombos) to fill in the details of the combo-boxes. Once you have 
added the combo-boxes from the toolkit write the required subroutines: 

Add this to the Data module: 


PUBLIC SUB loadCombo (combo AS ComboBox, 
sql AS String) 
combo.Clear 
tmpRec = myDB.Exec(sql) 
FOR EACH tmpRec 
combo.Add (tmpRec[0]) 
NEXT 
END 


Add this to frmBugTracker: 
PRIVATE SUB loadCombos () 
data. loadCombo(cmbBugid,"select l.id" & 
"from listing 1, coder c" & 
"where L.coder_id=c.id" & 


"AND c.username='" & system.User & "'") 


data. loadCombo(cmbStatus,"select title from status") 
END 
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Figure 4. Viewing the Details of a Bug 
For the code to run, we must change Form_Open: 


IF (check_id() = FALSE) THEN 
message ("Unable to log on as " & system.user) 
ME.close 
ELSE 
loadCombos 
END IF 


Now we can click on the combo-box to select the required 
bug ID, and use this to run another query in order to view the 
particular details. To do this, we need a text area (txtDetails) and 
some text boxes (txtCreated and txtRaisedby, txtPriority, 
txtApplication and txtVersion). 

Double-click on cmbBugld, go into code edit mode, and edit the 
code so that it reads: 


PUBLIC SUB cmbBugid_Click() 


data.Exec ("SELECT L.priority,1l.created, " & 
"| details, l.release," & 
"s.title, c.username, a.name" & 
"from listing 1,coder" & 
""c,status s,application a" & 
"where 1l.id="& cmbBugid.Text & 
"AND 1.status=s.id" & 
" AND 1.raised_by_id=c.id" 
"and lL.application_id = a.id") 


txtDetails.Text data. tmpRec!details 
txtCreated. Text data. tmpRec!created 
txtRaisedby.Text = data. tmpRec! username 
txtPriority.Text = data.tmpRec! priority 
txtApplication.Text = data. tmpRec!name 


txtVersion.Text = data.tmpRec! release 
cmbStatus.Text = data.tmpRec! title 
END 


The next stage is to be able to log a new bug. We need to 
create a new form (frmAddBug), and we add an extra button to 
frmBugChecker—calling it btnAddBug and change the text to 
Add Bug. Don’t forget to add a Close button before doing any- 
thing else. Next, add a text area (txtDetails), a text box (txtPriority) 
and a combo-box (cmbApplication). You also will need another 
button (btnSave): 


PUBLIC SUB Form_Open() 
loadCombos 
END 


PRIVATE SUB loadCombos() 
data. loadCombo(cmbApplication,"select name from application") 
END 


Our third form will view all bugs. Create a new form (frmViewAll), 
and then go to frmBugManager, copy all of the elements and 
paste them into frmViewAll. You need to change the order of the 
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objects so that the status combo-box is at the top of the form. 


Also add another text box (txtCoder). Finally, select the new Add PUBLIC SUB cmbBugid_Click() 
Bug button, change the name to btnAccept and change the text txtDetails.Text = "" 
to Accept. txtCreated.Text = "" 
For this form, we need some code to load cmbStatus first, because txtRaisedby.Text = "" 
this will drive the others: txtCoder.Text= "" 
txtPriority.Text = "" 
PUBLIC SUB Form_Open() txtApplication.Text = "" 
loadCombos txtVersion.Text = "" 
cmbStatus_Click IF ( cmbBugid.Text <> "" ) THEN 
END data.Exec ("SELECT l.priority,l.created," & 
" ‘Ldetails,..release,” & 
PRIVATE SUB loadCombos() " ‘sg. title, rusername,” & 
data. loadCombo(cmbStatus, "c.username coder,a.name" & 
"select title from status") "from Listing 1,coder" & 
END "r,status s,application a" & 
"left join coder c on 1.coder_id=c.id" & 
PUBLIC SUB cmbStatus_Click() "where L.id=" & cmbBugid.Text & 
data. loadCombo(cmbBugid,"select l.id" & "AND 1.status=s.id" & 

"from listing 1, status s" & "AND 1l.raised_by_id=r.id" & 

"where l.status = s.id" & "and L.application_id = a.id") 

"and s.title = '" & cmbStatus.Text & "'") txtDetails.Text = data.tmpRec!details 
cmbBugid_Click txtCreated.Text = data. tmpRec!created 
IF (cmbStatus.Text = '"new") THEN txtRaisedby.Text = data. tmpRec!username 

btnAccept.Enabled = TRUE txtCoder.Text = data. tmpRec! coder 
ELSE txtPriority.Text = data.tmpRec!priority 
btnAccept.Enabled = FALSE txtApplication.Text = data.tmpRec!name 
END IF txtVersion.Text = data.tmpRec! release 
END END IF 
END 


PUBLIC SUB btnAccept_Click() 
data.runSQL("update listing" & 


"set coder_id = " & data.coder_id(system.User) & 
",status=2" & 
"where id = " & cmbBugid.Text) 

Form_Open 


Unable to enter status END 
The last thing you need is for status change code in frmBugTracker: 


PUBLIC SUB cmbStatus_Click() 
DIM version AS String 
version = txtVersion.Text 


IF (version="") THEN 
08/12/2005 15:05:56 version = "Null" 
END IF 
"set status = " & data.get_id("status","title", cmbStatus.Text) & 
",release = " & version & 
ji new = "where id = " & cmbBugid.Text) 
po 
END 
bugtracker 
This has been a very brief look at Gambas, but hopefully, it has 
1 shown just how easy it is to use to create a real working application.m™ 
Resources for this article: www.linuxjournal.com/article/8951. 


| Mark Alexander Bain learned his trade working at Vodafone for nearly 20 years—using UNIX and 


Oracle. More recently, he has worked as a lecturer at a University in the UK and as a freelance writer. 
You can find his work at www.markbain-writer.co.uk. 


Figure 5. The Final Application 
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How to Set Up 


and Use Tripwire 


All about Tripwire and what it can do for you. 


Tripwire is an intrusion detection system (IDS), which, constantly and 
automatically, keeps your critical system files and reports under control 
if they have been destroyed or modified by a cracker (or by mistake). It 
allows the system administrator to know immediately what was com- 
promised and fix it. 

The first time Tripwire is run it stores checksums, exact sizes and 
other data of all the selected files in a database. The successive runs 
check whether every file still matches the information in the database 
and report all changes. Tripwire initially was released in 1992. Today, 
several programs share this name, one is GPLed and two are propri- 
etary. The rest of this article discusses only the GPL version 2.3.1. 


When Is the Right Moment to Start Using Tripwire? 
IDS tools are particular beasts, and Tripwire is no exception. Even if you 
don’t need to be an expert programmer to use this package, actually 
taking advantage of it requires some patience, attention and manual 
work. 

First, using Tripwire is one of those cases in which blindly pressing 
Enter at every prompt really isn’t a smart thing to do. Do yourself a 
favor and check at least the relevant parts of the good documentation 
provided with the Tripwire programs (more on this later). 

Second, using Tripwire for real makes sense only if it is installed, 
fully configured and initialized at the very first boot after an installation 
from scratch, before ever connecting to the Internet or doing anything 
else. It takes only one attack to install a back door. All you would 
accomplish by installing and using Tripwire after such an event would 
be to guarantee that the back door remains just as open as the day a 
cracker installed it! Of course, even if you don’t want to or can't re- 
install everything now, nothing prevents you from downloading the 
package anyway and becoming familiar with it. 

Here is how to explain to Tripwire what's important to you. The 
Tripwire distribution includes several binaries, the corresponding man pages 
and two files that regulate the program's behavior, which we will call, for 
brevity, the Tripwire system files. The first one (/etc/tripwire/twcfg.txt), 
where several variables are defined, is for general configuration and 
even may be the same for all the computers on the same LAN. Its 
contents go from the location of the Tripwire database to instructions 
on minimizing the amount of time the passphrases are kept in memory 
or the number of redundant reports. 

Other important parameters are the editor (the default is vi) for 
interactive usage and how reports should be sent by e-mail. The com- 
plete syntax and meaning of all possible variables are described in the 
twconfig man page. 

The other system file (/etc/tripwire/twpol.txt) contains the policy 
that declares all the objects that must be monitored and what to do 
when one of them is lost or altered. Unlike the configuration file, the 
policy could (and almost certainly will) vary across the several computers 
on the same network. For example, the packages installed on a firewall 
will be different from those on a development workstation or an office 
laptop, even if the same GNU/Linux distribution is used. 

The first thing to do to create a good Tripwire policy (and, in 
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general, have a less stressful sysadmin life) is to remove as many 
unneeded programs as possible before starting. Next, to make your 
usage of Tripwire as quick and effective as possible, your policy 
must cover everything you really need to monitor and nothing else. 
This includes, at least, all the system binary and library directories 
(that is, the contents of /bin, /sbin, /usr/bin, /lib and so on) and the 
corresponding configuration files in /etc/. The example twpol.txt 
files distributed with Tripwire contains anything that could be on a 
UNIX system, so it is guaranteed to complain about programs that 
you never installed or placed in a different location. This is an 
example of what you might see: 


### Warning: File system error. 
### Filename: /dev/cuad 

### No such file or directory 
### Continuing... 


There is a safe and easy way, even if potentially long and boring, 
to remove such bogus warnings. Simply run the initial configuration 
procedure described below several times. Scan the report each time, 
and comment out the checks that generated false alarms until they all 
disappear. Of course, before starting, do what should be done before 
configuring any new package—that is, make a copy of the originals: 


cp -p twcfg.txt twcfg.txt.orig 
cp -p twpol.txt twpol.txt.orig 


A Tripwire policy is a sequence of two kinds of rules. Normal ones 
define which properties of a file or directory tree must be checked, in 
this format: 
object_name -> property_mask (rule attribute = value); 

The property_mask specifies which properties must be examined or 
ignored. Attributes provide additional, rule-specific information like 
the rule severity or who should be informed by e-mail if that rule is 
violated. The other kind of rules are stop points, which tell Tripwire 
not to scan a particular file or directory. Tripwire also understands 
several directives for conditional interpretation of the policy, diagnostics 
and debugging. To know all the gory details, print out and study the 
twpolicy man page. 


Initial Configuration 
After everything has been placed in the proper directories, either from 
a binary package or compiling the sources, the first action to take as 
root is to generate two robust—that is, hard to guess—passphrases. 
The first one (site passphrase) is used to encrypt and sign the Tripwire 
system files. The second one (local passphrase) is necessary to launch 
the Tripwire binaries. 

Theoretically, the Tripwire distribution should include an 
/etc/tripwire/twinstall.sh script that should prompt the user for 


passphrases and other information and then perform all the steps 
below. At the time of this writing, both the Tripwire 2.3.1 RPM pack- 
age for Fedora Core 4 tested for this article and several on-line tutorials 
still say to use that script, but it just wasn’t there after the installation. 
In any case, the utility that performs these tasks is twadmin. Because it 
has a complete man page, and it should be used anyway if you want 
to change keys after installation, we just show how it works. The 
actions described above are executed with the following commands: 


twadmin --generate-keys --site-keyfile my_home_key 
--site-passphrase ‘Hello LJ readers' 

twadmin --generate-keys --local-keyfile my_local_key 
--local-passphrase ‘Penguins are cool' 


This leaves the two keys encoded in the my_home_key and, respec- 
tively, my_local_key files. Remember to copy these two names in the 
twcfg.txt file before running twadmin: 


SITEKEYFILE 
LOCALKEYFILE 


=/etc/tripwire/my_home_key 
=/etc/tripwire/my_local_key 


Once the passphrases have been stored, the configuration file must 
be encrypted in this way: 


twadmin --create-cfgfile --cfgfile twcfg.enc 
--site-keyfile my_home_key twcfg.txt 

Please enter your site passphrase: 

Wrote configuration file: /etc/tripwire/twcfg.enc 


The procedure to create a binary version of the policy is similar: 


twadmin --create-polfile --cfgfile twcfg.enc --polfile 
™twpol.enc --site-keyfile my_home_key twpol.txt 


The difference, with respect to the former command, is that 
now the encrypted configuration file must be passed to twadmin. 
The reason the two files must be encrypted is that Tripwire will 
discover if they are corrupted much more easily than if they were 
in plain-text format. In order to read such files directly, you need 
(besides the passphrases, obviously) the -print-cfgfile or --print-polfile 
options of twadmin. 


Database Creation 
Once the passphrases and system files are all set, it’s time to go into 
what the documentation calls Database Initialization Mode: 


tripwire --init --cfgfile twcfg.enc --polfile tw.pol 
>--site-keyfile my_home_key --local-keyfile my_local_key 


By default, the result is stored in /var/lib/tripwire/YOURHOSTNAME.twd. 
Path and name can be changed in twcfg.txt or given as a command- 
line option. Eventually, if everything goes fine, you'll be greeted by 
this message: 


Wrote database file: /var/lLib/tripwire/YOURHOSTNAME. twd 
The database was successfully generated 


Periodic Checks 

As soon as encrypted system files, passphrases and a complete snap- 
shot of your system are available, Tripwire finally can do the only thing 
we really care about—that is, to check the integrity of our computers 
periodically. This is normally accomplished by running the program as a 
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Figure 1. Sample Tripwire Report 
cron job with this switch: 
tripwire --check 


Note that, just to allow secure, automatic usage, the program 
doesn't need passphrases when launched in this way. Consequently, 
there is no need to write them in plain text anywhere. The integrity 
report is printed both to STDOUT (so it can be e-mailed to the system 
administrator) and saved in the location specified by the REPORTFILE 
variable in the configuration file. How often this operation should be 
performed depends on how critical the system is and how often it is 
exposed to external attacks. Although a corporate firewall should be 
checked daily, a weekly check may be enough for a department print 
server behind it or a regular desktop. 

Figure 1 shows an example of what a Tripwire report looks like. It 
ells you, for every rule defined in the policy, which of the correspond- 
ing files were added, changed or modified. Command-line options are 
available to check only specific sections of the policy file, or just some 
iles. This could be useful, for example, when nothing was modified in 
the system, but there is the suspicion that some particular disc or parti- 
ion was damaged. 

The integrity checking procedure also can be interactive. Adding 
he -interactive switch causes Tripwire to open an editor, after the 
check, to allow the user to declare which files should be permanently 
updated in the Tripwire database. This is a manual alternative to the 
update mode described below. 


Update Policies 

Immediately after any system change, be it due to installation, update 
or removal of software or configuration files, it is mandatory to update 
the plain-text policy file and regenerate the binary database. Any suc- 
cessive Tripwire check would be meaningless otherwise. Therefore, run 
this command whenever it’s necessary: 


tripwire -update-policy -twrfile 
a _previous_integrity_report.twr 
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Because it is so critical, this operation requires both your local and 
site passphrases. When launched in this way, Tripwire detects as viola- 
tions any changes that happened after the specified integrity check. In 
such a case, an actual update of the policy, ignoring such violations, is 
possible only if the user explicitly tells the program to run in low securi- 
ty mode. The corresponding option is -Z low and is explained in detail 
in the Tripwire man page. 


Reading the twfiles and twintro man pages, which contain short and 
up-to-date overviews of all the files and programs that compose the 
Tripwire suite, is highly recommended before starting the installation. 
The actual Tripwire binary, if called with the -help option, lists all 
the available options. Like many FOSS programs, all the utilities of 
this package accept both short and long forms of their command- 
line options. 

For example, tripwire -check also can be written as tripwire 
-m c. The second form is faster when one already knows Tripwire and 
has to use it interactively, but the explicit command is recommended in 
scripts, for documentation or didactical purposes. The -v option puts 
any Tripwire command in verbose mode. Common wisdom also sug- 
gests that both the binary and text versions of the Tripwire system 
files be stored on a separate computer, write-protected floppy disk or 
USB drive. 

Remember that one of the first things a determined cracker will do 
is to replace just those files with her own copies, to hide any trace of 
attack. The periodical reports placed by Tripwire in /var/lib/tripwire are 
in binary, optionally signed format. Consequently, they can’t be read 
straight from the prompt, and they also can't even be processed directly 
by a shell script for automatic comparison or other purposes. The 
solution is to use the twprint command, which comes with its own 
complete man page, as in this example (note that you must pass the 
binary configuration file for it to work): 


twprint --print-report --cfgfile twcfg.enc --twrfile 
> /var/Lib/tripwire/report/my_tripwire_report 
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The digital signatures of each binary file can be checked directly 
with the siggen utility, which also has its own man page: 


/usr/sbin/siggen /etc/tripwire/twcfg.enc 


Signatures for file: /etc/tripwire/twcfg.enc 


CRC32 Dmjkiz 

MDS DTn311w6Wx3+7TXv7SHPjA 

SHA D5N1Pv4biCnd14igf/anGM3pvVH 
HAVAL BEJmfzpcA/Txq5nf9kgsVb 


The Open Source Tripwire Project had been quiescent for some 
time. Luckily, just a few days before the deadline of this article, 
version 2.4.0.1 was released on SourceForge, and it is the one 
you'll likely find packaged for your distribution by the time you 
read this. Besides the source tarball, it is also possible to download 
x86 static binaries built on a Gentoo 2005 distribution. There are 
no remarkable changes in functionality, so everything explained in 
this article should still apply as is. The other good news is that this 
is the first release in which the old build system has been replaced 
by a standard autoconf/configure environment. Unfortunately, due 
to some gcc 4 compatibility problems on Fedora Core 4, it wasn't 
possible to test this version in time. However, as soon as this port- 
ing is completed, it should be much easier to add new features 
and package Open Source Tripwire for all modern GNU/Linux distri- 
butions. You’re welcome to join the effort and report bugs on the 
developers mailing list (see the on-line Resources). Thanks to Paul 
Herman and Ron Forrester for releasing this new version and the 
time they spent to answer my questions. 


Resources for this article: www.linuxjournal.com/article/8950. 
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The World Is a 


libferris Filesystem 


With libferris, the boundary of your filesystem extends to include PostgreSQL, 
XML, db4, RDF, the X Window System, Evolution and much more. BEN MARTIN 


The libferris virtual filesystem always has sought to push the 
boundaries of what a filesystem should do in terms of what can be 
mounted and what metadata is available for files. During the past five 
years, it has expanded its capabilities from mounting more traditional 
things, such as tar.gz, SSH, digital cameras and IPC primitives, to being 
able to mount various Indexed Sequential Access Mechanism (ISAM) 
files, including db4, tdb, edb, eet and gdbm; various relational 
databases, including odbc, MySQL and PostgreSQL; various servers, 
such as HTTP, FTP, LDAP, Evolution and RDF graphs; as well as XML files 
and Sleepycat’s dbXML. 

Recently, support for indexing filesystem data using any combina- 
tion of Lucene, ODBC, TSearch2, xapian, LDAP, PostgreSQL and Web 
search has been added with the ability to query these back ends for 
matching files. Matches naturally are presented as a virtual filesystem. 
Details of using the index and search capabilities of libferris appeared 
in the February 2005 issue of Linux Journal in my article “Filesystem 
Indexing with libferris”. | should mention that anything you see mounted 
as a filesystem in this article can be indexed and searched for as 
described in that past article on searching. 

You can access your libferris virtual filesystem either by native 
libferris clients or by exporting libferris through Samba. 

The two primary abstractions in libferris are the Context and the 
Extended Attribute (EA). A Context can be thought of as a superclass 
of a file or directory. In libferris, there is less of a distinction between a 
file and a directory with the ability for a file to behave like a directory if 
it is treated like one. For example, if you try to read a tar.gz file as a 
directory, libferris automatically mounts the archive as a filesystem and 
lists the contents of the archive as a virtual filesystem. 

The EA interface can be thought of as a similar concept to the Linux 
kernel’s EA interface. That is, arbitrary key-value data is attached to files 
and directories. This EA concept was extended early on in libferris to 
allow the value for an attribute to be derived from the content of a file. 
This means simple things like width and height of an image or video file 
become first-class metadata citizens along with a file’s size and modifi- 
cation time. The limits on what metadata is available extend far beyond 
image metadata to include XMP, EXIF, music ID tags, Annodex media, 
geospatial tags, RPM metadata, SELinux integration, partially ordered 
emblem categories and arbitrary personal RDF stores of metadata. 

Having all metadata available through a single interface allows 
libferris to provide filtering and sorting capabilities on any of that 
metadata. As such, you can sort a directory by any metadata just as 
easily as you would use ls -Sh to sort by file size. Sorting on multiple 
metadata values is also supported in libferris; you can sort your files 
easily by MIME type, then image width, then modification time—with 
all three pieces of metadata contributing to the final directory ordering. 
Any libferris virtual filesystem can have filtering and sorting applied to 
it to obtain a new libferris virtual filesystem. 

You can store EA values into a personal RDF store—for example, 
when you write an image width to an extended attribute. When you 
subsequently read the image width, you get the value you just wrote 
to the EA. This extends naturally to other situations, such as when you 
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change the x or y EA for a window, which should move the window. 

Allowing EA to be stored in a personal RDF file lets you add meta- 
data to any libferris object, even those for which you have only read 
access. For example, you can attach emblems or comments to the 
Linux Kongress Web site just as you would a normal file. 

An interesting EA for all files is the content EA, which is equivalent 
to the file’s byte contents. Exposing the file itself through the EA inter- 
face means that any information about a file can be obtained via the 
same interface. 

libferris is written in C++ and provides a standard |OStream inter- 
face to both Contexts and EA. Many standard file utilities have been 
rewritten to take advantage of libferris features. These clients include 
Is, cp, mv, rm, mkdir, cat, find, touch, IO redirection and more. 


Filesystem Interaction 
As we explore these filesystems, | use the ferrisls command, which 
mimics the coreutils Is(1) command. As well as the -I long listing 
option, | use the -0 (zero) recommended-ea option of ferrisls. This 
operates in much the same way as -l, though it asks the filesystem 
itself which EAs are most interesting for the user to see. | assume a 
shell alias of fls=ferrisls in the code examples. 

| start by showing interaction with the standard kernel-based 
filesystems and some of the EA possibilities. Along with the recom- 


Listing 1. 


A Long Listing of a Directory with Explicit Metadata 


$ fls -1 \ 
--show-ea=size-human-readable,width,height,name 
4.5k 48 46 emacs .png 

13k 48 48 gnome-warning.png 
Sek 48 48 gnome-xterm. png 

De 48 48 gtkvim.png 


Listing 2. 
Asking libferris itself to determine which EAs are 


of interest for the current directory and producing 
an XML document as output. 


$ fls -O0 --xml 
<ferrisls> 
<ferrisls url="file:///tmp/1j" name="1j" > 
<context size-human-readable="4.5k" 
protection-ls="-rw-r----- " 
mtime-display="05 Dec 4 23:39" 
name="emacs.png" width="48" height="46" /> 


</ferrisls> 
</ferrisls> 


mended-ea option, ferrisls supports the --xml option to produce an 
XML document as output. This provides information as to what EA 
each value belongs and provides one possibility to drive Web interfaces 
using libferris. 

As mentioned previously, if you are sorting a directory on an EA 
that does not provide a complete ordering, you can chain together 
sorting predicates. For example, in Listing 3, | have sorted the output 
based on the numeric EA height and then used a version string sort on 
the name EA. A version sort is similar to the Is(1) -v option, which in 
Listing 3 has placed foo20.png after foo3.png. Such sorting is very use- 
ful when sorting by file type or MIME major type followed by name. 


$ fls --show-ea=width,height,size,name \ 
--ferris-sort='(:#:height) (:V:name) ' 


48 48 1968 gnome-warning. png 
48 48 B58) gnome-xterm. png 
48 48 2550 gtkvim. png 

48 46 4589 emacs .png 

48 46 4589 foo03.png 

48 46 4589 fo020.png 


The two concepts of files forming a tree and files having key-value 
pairs attached to them are similar to the structure of XML. With libferris, 
you can poke inside XML documents as though they were just another 
filesystem. For example, see Listing 4. 


$ cat example.xml 
<root> 
<filel size="200" /> 
<file2 interesting="yes" /> 
<file3>filesystems rock 
</TiLe3> 
</root> 


$ fls -0 ./example.xml/root 
ileil 
ne, 
1e2 


$ fls -d --show-ea=name, interesting \ 
./example.xm1/root/file2 
ape, yes 


$ fcat example. xml/root/file3 
ilesystems rock 


By interacting with your filesystem, you can cause updates on the 
underlying XML document as well. The ferris-redirect client exists to 
allow shell-like redirection into libferris files. The -T or --trunc option 
truncates an existing file before writing stdin into it. This is much like 
the >| shell option. As you can see from the interaction in Listing 5, we 
have changed the structure of the example.xml document significantly 
through filesystem interaction. 
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Listing 5. Listing 7. 
Changing an XML File through Its Filesystem C++ Code Fragment Applying an XSLT to a Filesystem 
$ echo "VIRTUAL filesystems rock more" | \ fh_context c = Resolve( "~/example.odt/content.xml/" 
ferris-redirect -T ./example.xml/root/file3 "office:document-content/office:body/office:text") ; 
DOMDocument* theDOM = Factory::makeDOM( c ); 
$ echo "a new way" | \ viene 
ferris-redirect ./example.xml/root/file4 // should use XercesDOMWrapperParsedSource 
XalanTransformer theXalanTransformer; 
$ ferrisrm ./example.xml/root/file2 theXalanTransformer.transform( 


theDOM, "~/my-oo.xsl", cout ); 


$ ftouch ./example.xml/root/touched 


$ cat example.xml 


Listing 8. 
<?xml version="1.0" encoding="UTF-8" 
standalone="no" ?> Mounting Evolution and the X Window System 
<root> 
<filel size="200"/> $ fls evolution://localhost 
contacts mail 
<file3>VIRTUAL filesystems rock more $ fls -0 evolution://localhost/contacts/system/ 
</file3> aoe 
<file4>a new way witme-ferris witme-ferris@lists.sourceforge.net 
</file4> 


$ fls -0 xwin://localhost/clipboard 
<touched/> 0 #include <Ferris/Ferris.hh> 

il Let the cricket stick to its hearth 
</root> 2 


Listing 6. Listing 9. 


OpenOffice.org Documents Are Filesystems Too PostgreSQL as a Filesystem 


$ fls -lh show-ea=size,name,content \ $ psql 
~/sample-oo-writer.odt/content.xml/ \ # create database tmp; 
office:document-content/office:body/office: text # \c tmp 
0 office: forms # create table foo ( message varchar(100) not null, 
18 text:p Paragraph number 1 id int primary key ); 
0 {HEAL (deal # insert into foo values ( 'doki doki', 1 ); 
116 text:p-2 This is the second paragraph ... # \q 
0 text:p-3 
39 text:p-4 And in summary, this is really... $ fls -0 pg://localhost/tmp/foo 
0 text:p=5 doki doki 1 1 id 
0 text: sequence-decls 


$ fcat pg://localhost/tmp/foo/1 
<context id="1" message="doki doki" /> 
As many modern word-processing documents are XML inside a 


compressed container, libferris allows you to drill down into the office $ echo "waku waku" | ferris-redirect \ 
document as though it were a filesystem. In Listing 6, | am listing a -T --ea=message pg://localhost/tmp/foo/1 
simple OpenOffice.org Writer document as a filesystem. 
A Xerces-C Document Object Model (DOM) can be obtained for $ fls -@ pg://localhost/tmp/foo 
any libferris filesystem, just as a Xerces-C DOM can be mounted as a waku waku 1 1 id 
libferris filesystem. Creation of a DOM for a filesystem is evaluated lazi- 
ly, SO you can get a DOM for file:// and only the parts of the DOM that $ gfcreate pg://localhost/tmp/foo 
are required are ever created. # See the gfcreate-tuple figure 
The ability to convert any libferris filesystem into a DOM allows you 
to apply XSLT to your filesystems easily. The example C++ code in $ fls -0 pg://localhost/tmp/foo 
Listing 7 applies a stylesheet to a mounted OpenOffice.org document. utsukushii 2 2 id 
Recently, support for mounting applications, such as Firefox, 
Evolution and the X Window System, was added to libferris. $ psql tmp; 
The evolution:// filesystem allows you to mount your Evolution mail # select * from foo; 
client. Support currently extends to your mail folders and contacts. message | id 
Using this filesystem, it is no longer necessary to save attachments to. =——s ---- -- --------- ----------- +---- 
temporary files to access them from ferris-aware systems. waku waku | a 
Mounting your X Window System is done via the xwin:// filesystem. utsukushii | 2 
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Figure 1. Creating a New Tuple in PostgreSQL through the Filesystem 


This gives access to your window objects 
as well as lets you mount Klipper on KDE 
desktops. For Klipper, you can 1s, cat and 
cp your past clipboard interactions easily, 
and overwriting the top clipboard element 
is effectively a clipboard copy. The window 
mounting lets you see where your win- 
dows are in terms of x,y offsets as well as 
other interesting data. Listing 8 shows a 
sample session of mounting my Evolution 
mail client and the X Window System. 

Mounting databases allows you to explore 
the database server, its databases and their 
tables and views. Shown in Listing 9, | create 
a database, populate it and interact with it as 
a virtual filesystem. The final command using 
the --xml option for ferrisls exports each tuple 
in XML format. 

Instead of embedding the user name and 
password in the URL, libferris elects to store 
this information in configuration files. This is 
a trade-off when the risk of accidentally 
copying and pasting a URL with embedded 
user credentials is minimized at the expense 
of having a central store of available creden- 
tials and mappings for where to use each 
credential. For many common URLs, inline 
authentication information is also supported. 

The invocation of gfcreate shown in 
Listing 9 is captured in Figure 1. 


Listing 10. 
What types of things can | create 


for a PostgreSQL filesystem? 


$ fcreate -1 pg://localhost/tmp 

listing types that can be created 
for context: pg:///localhost/tmp 

queryview 

table 


$ fcreate -1 pg://localhost/tmp/foo 
listing types that can be created 

for context: pg:///localhost/tmp/foo 
tuple 


A libferris filesystem can nominate 
which objects it is happy to have created 
on it. You can see this list by using the 
fcreate or gfcreate tools in the ferriscreate 
package. A large list of possibilities will be 
displayed for an fcreate -1 /tmp, for 
example. For a PostgreSQL database, you 
can create only a small number of new 
object types, as shown in Listing 10. I'll 
use fcreate in a moment to create a new 
empty db4 file to show how filesystem 
monitoring is virtualized in libferris. 

Many changes made to a libferris 
filesystem are reflected instantly in other 
libferris applications. Many kernel-level 
interfaces let applications know when a 
kernel filesystem changes—for example, 
inotify and dnotify. libferris extends this to 
allow clients to know when a virtual 
filesystem has changed. For example, when 
you update an element inside of an XML 
file, inotify tells you only that the XML file 
has changed. With libferris, you can see 
exactly which part of the XML file was 
modified by other libferris applications. 

Listing 11 demonstrates the filesystem 
monitoring support. In the example, | use 
the --monitor-all option of ferrisls. This 
makes ferrisls operate like a tail -f for 
your given URL; any creation, deletion or 


Listing 11. 


Output of One Virtual Console 


$ fcreate --create-type=db4 --rdn=raw.db . 
$ fls --monitor-all -0 ./raw.db 

Created newl 
Changed c:0x8321f88 
Changed c:0x8321f88 
Deleted newl 
Created redirected-output 

Changed c:0x8321f88 /tmp/1jdb/raw.db 


/tmp/1jdb/raw.db 
/tmp/1jdb/raw.db 
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Listing 12. 


Output of Another Virtual Console 


Listing 14. 
Showing Recent View Operations 


$ ftouch ./raw.db/newl 


$ ferrisrm -v ./raw.db/newl 
removing ./raw.db/newl 


$ echo "hello" | \ 
ferris-redirect -T ./raw.db/redirected-output 


$ fcat ./raw.db/redirected-output 
hello 


Listing 13. 


Setting Up Xine to Play Annodex Files 


$ cat xine.desktop 

[Desktop Entry] 

Name=xine 

Comment=Video Player 

Exec=xine 

MimeType=video/mpeg;... 

Icon=~/icons/xine. png 

Terminal=0 

Type=Application 

$ ferris-import-desktop-file xine.desktop 

$ ferris-set-file-action-for-type -v -a xine \ 
/tmp/Wombats. anx 


# Lets view the video. 
$ alias fv="ferris-file-action -v" 
$ fv /tmp/Wombats.anx 


interesting filesystem activity is shown on the console. In another 
terminal, Listing 12, I'm creating, deleting and writing to “files” 
inside a Berkeley db4 file. ferrisls happily reports what is happen- 
ing to these virtual files. 

Many operations performed with libferris are also stored for pos- 
sible future use. This includes the types of files you recently created 
(png, jpeg, db, tuple and so on), which files you recently edited and 
viewed and more. All of this is kept only for your personal use and 
never sent anywhere. Storage of metadata on files you view and 
edit is called remembrance in libferris. Only view and edit actions 
invoked through libferris are currently remembered. Listing 13 shows 
how | set up Xine to be executed as the default view operation on 
Annodex media files. 

Now we can explore what libferris knows about our past oper- 
ations. By default, remembered operations are grouped by opera- 
tion type then media type. The recommended EA for the final 
directories in the tree are the filename and the time it was last 
viewed or edited. This history virtual filesystem shown in Listing 
14 shows only a set amount of the most recent operations so as 
not to become too large. 

For each file, you also can bring up the complete list of view and 
edit times. This uses what libferris calls a branch filesystem. A branch 
filesystem best can be described as an entire personal filesystem 
attached to a file. Branch filesystems are accessed using the branches:// 
handler; all other URL handlers appear as direct children of branches://. 
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$ fls remembrance: // 

history 

$ fls remembrance://history 

edit view 

$ fls remembrance://history/view 

video 

$ fls -Oh remembrance://history/view/video 
/tmp/Wombats.anx 05 Dec 6 21:34 


Listing 15. 


Branch Filesystems: a Filesystem about a File 


$ fls branches://file/tmp/Wombats.anx 
branchfs-attributes branchfs-medallions 
branchfs-remembrance branchfs-extents 
branchfs-parents branchfs-signatures 
$ fls -0 branches://file/tmp/\ 

Wombats. anx/branchfs-remembrance/view 
10.7M -rw-rw---- 05 Dec 6 21:34 ... 05 Dec 
10.7M -rw-rw---- 05 Dec 6 21:34 ... 05 Dec 


6 wilgas 
6 agile 38) 


$ fls --xml \ 
branches://file/tmp/Wombats.anx/branchfs-extents 

<ferrisls> 

<ferrisls 
url="branches://.../branchfs-extents" 
name="branchfs-extents" > 

<context name="0" 

start-block="14245376" 
end-block="14267375" 
start-address="0" 
end-address="21999" /> 

</ferrisls> 

</ferrisls> 


In Listing 15, | take a look at what branches are available for 
my media file and explore the remembrance view filesystem. Then, 
out of curiosity, | take a look into the extents branch and see that 
the kernel's XFS filesystem has placed the whole media file in a 
single contiguous extent on disk. 

To see if a file has a valid digital signature, you simply can 
read the has-valid-signature EA on the file. The signatures branch 
filesystem allows much more detail to be exposed about the 
signature. The branchfs-attributes filesystem exposes all EAs for 
a file as a filesystem. Sometimes it is more convenient to access 
an EA as though it were a file. 


Future Directions 

In the future, libferris will continue to support mounting more things 
and obtaining more metadata where it can. A module for FUSE is 
planned to supplement the current Samba support.m™ 


Resources for this article: www.linuxjournal.com/article/8947. 


Ben Martin has been working on filesystems for more than ten years. He is currently working toward a PhD 
combining Semantic Filesystems with Formal Concept Analysis to improve human-filesystem interaction. 
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USB Pendrives and 
Distributions for Them 


A look at three distributions you can use to boot Linux from a USB pendrive. 


JUAN MARCELO RODRIGUEZ 


A pendrive is a USB storage device. You plug it in to a USB port, and 
if the pendrive is compatible with your operating system, it should look 
exactly like another disk on your system. These days, it is easy to find 
pendrives with 1GB of storage. 

It so happens that there has been an explosion of bootable live 
CD versions of Linux. Both commercial and noncommercial Linux 
distributions are providing live CDs (including Linspire, SUSE, 
Ubuntu, Kubuntu, Knoppix and Mepis, to name only a few—there 
are many more). 

Imagine a mixture of both concepts—a USB storage device and 
a live CD version of Linux. You can pack a lot of features of a 
GNU/Linux live CD into 1GB. The USB pendrive has the advantage 
of being writable, which the live CD lacks. So, you can boot Linux 
from a pendrive and store data on it too. The end result is that, as 
long as you can find a machine that will boot from a pendrive, you 
have a fully portable version of Linux that carries your applications, 
settings and data. 


The Choices 

| cover three LiveUSB distributions in this article: SLAX, Damn Small 
Linux (DSL) and Flash Linux. Each one has different window managers 
and different apps. 

SLAX works with tmpfs and Unification fs (UFS), which give it 
some nice advantages. SLAX is based on Slackware Linux with the 2.6 
Linux kernel. 

DSL is a little distribution of 50MB. DSL configures Fluxbox very 
nicely. Some of the apps included are Mozilla Firefox, the Slypheed mail 
client, xmms, text editors, graphics viewers and more. It includes a 2.4 
Linux kernel with good hardware detection, but it doesn’t have the big 
apps other distributions have, such as The GIMP. It is a compact distri- 
bution with a script to install it to LiveUSB. 

Finally, Flash Linux is a solid distribution that uses the 2.6 kernel 
and the fast JFFS2 filesystem. It has good speed, both as a live CD and 
LiveUSB, and it includes large applications, such as The GIMP and 
OpenOffice.org. It uses grub, bootsplash, framebuffers and GNOME, 
and is based on Gentoo. 


Boot from USB 
The biggest challenge in using a USB pendrive for your Linux distribu- 
tion is booting the pendrive. Old motherboards do not support the 
ability to boot from USB hardware, so you may need to use a floppy 
disk to boot your USB-based distribution. Newer motherboards let you 
boot drives usually referred to as USBHDD, USBZIP, USB-FDD and others, 
such as USB-CDROM. 

The first step to using a pendrive is to delete the original pen- 
drive partitions, if there are any. Then, add a FAT16 partition, and 
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format it with mkdosfs. | used cfdisk to do the work, but you can 
use fdisk too. 

Check your dmesg log when you plug in the device to see if it 
is working: 


dmesg | tail 
You should see a message similar to the following: 


sda: assuming drive cache: write through 
sda: sdal 


Format the partition you created with the following line: 
mkdosfs -F 16 /dev/sdal 


(Change sda1 to whatever partition is appropriate for your system.) 
Unplug the hardware, and plug it in again. You now are ready to 
install the distribution. 


Damn Small Linux 

Go to the DSL Web site (see the on-line Resources) and download the 
ISO image file for the current version of DSL, and burn the ISO to a CD 
or DVD. Boot from this CD or DVD. The boot starts with a welcome 
screen, like most live distributions. 

DSL looks for hardware, and then it installs and configures it. 
Depending on your machine, it will bring up an X server running 
Fluxbox in less than two minutes. 

After booting from the DSL live CD, right-click on the Fluxbox desk- 
top to open the Fluxbox menu. Go to Apps—Tools—lnstall to install it 
to your USB pendrive. Here, you have two options for installing the dis- 
tribution: install to USBHDD or USBZIP hardware. DSL will ask about 
the location of the pendrive, and it also asks if you want to install DSL 
from the live CD, from a file or from the Web. 

| suggest you use your broadband connection to download the 
files. In fact, if you have a router that supports DHCP, DSL should 
recognize your Ethernet card and have no problems accessing the 
Internet at boot time. DSL supports PPPoE too, if your Internet 
connection requires it. 

| missed the features of the 2.6 kernel (the next release of DSL 
should support 2.6), but it’s still a good little distribution. | think DSL is 
fine as it is, but if you need a big office suite, you should use SLAX. 
Resources that you must read if you use DSL are the Wiki and the com- 
plete DSL forums. You will find many tips and tricks with plenty of 
information that will be helpful if you run into problems. 


Floppy-Based Boot Process Copy all the files from the directory slax/, where you mounted the 


If your machine doesn’t allow you to boot from a USB pendrive, you can ISO of SLAX, to the mounted pendrive: 
boot DSL from a floppy. Download the file bootfloppy-usb.img from the 
DSL site, and copy the image to a floppy disk with dd: cp -rav slax/* /mnt/usb/ 
dd if=bootfloppy.img of=/dev/fd0 Synchronize the data: 
Modify your computer BIOS to boot from the floppy first, and then sync 


boot the floppy image file of DSL. This boot image will 
launch the USB version of DSL. This process works with 
just about any distribution that offers a floppy boot 
image for booting USB pendrives. 


SLAX 

The SLAX site says, “SLAX is a fast and beautiful Linux 
operating system, which fits on small (3.14") CD-ROM 
disc. It runs directly from the CD (or USB) without 
installing. The live CD described here is based on the 
Slackware Linux distribution and uses the Unification 
File System (also known as unionfs), allowing a read- 
only filesystem to behave as a writable one, saving all 
changes to memory.” Fortunately, when you use a 
pendrive, you don’t have to worry about emulating 
write operations because, unlike a CD, the pendrive 
memory is writable. 

You can use UFS to merge storage from several 
sources, including network storage, into one local directory. 
This makes UFS a good solution for diskless workstations, 
because it makes it easy to keep your home directory on a 
network storage device. 

SLAX is a modular distribution, so you can add fea- 
tures as you need them. It lets you configure your installa- 
tion for many different purposes. You might be able to 
watch a DVD, use QEMU, burn CDs and DVDs, run fire- 
walls, antivirus apps and much, much more. Check the list 
available on the project's site (see Resources) to find out 
about modules that add new features to SLAX. 


SLAX Installation 
To install SLAX, get the latest version from the Web site 
(see Resources). SLAX has many versions of the same dis- 
tributions, with certain differences in apps and size. Select 
among Frodo, Standard, Popcorn or KilIBill editions. | used 
the slax-5.0.7b.iso standard edition of 200MB with KDE. 
Mount the ISO image file of SLAX using the loopback 
device. In my case, | called the mount directory slax. Here 
is the command | used: 


mount -o loop slax-5.0.7b.iso slax/ 

As before, format the USB pendrive to use FAT16: 
mkdosfs -F 16 /dev/sdal 
(Change sda1 to whatever partition is appropriate for your 


system.) 
After you have a bootable and formated FAT16 parti- 
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mount -t vfat /dev/sdal /mnt/usb/ 
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And go to the pendrive location (/mnt/usb): 
cd /mnt/usb/ 


Now, copy the files vmlinuz and initrd.gz to the root directory, 
where you mounted the pendrive, in our case from the directory 
/mnt/usb/, and do: 


cp boot/vmlinuz . 
cp boot/initrd.gz . 


Then, edit the file called isolinux.cfg: 
pico isolinux.cfg 


Remove every string called boot/ before vmlinuz and initrd.gz. 
Then, rename it to syslinux.cfg to use syslinux with the device: 


mv isolinux.cfg syslinux.cfg 

Finally, install and update MBR with LILO or GRUB: 
lilo -M /dev/sda 

And, use syslinux to finish the process: 
syslinux -s /dev/sdal 


SLAX is installed—enjoy it. Umount the pendrive and reboot. 
Change your BIOS to boot from the USB pendrive, and reboot again. 
You may need to use LILO or GRUB to update or install the master 
boot record on the pendrive. 

SLAX has KDE, Fluxbox, K3b, Media Player, a Web browser, mail, 
office suite, Kopete and many other applications. You can find a com- 
plete list on the SLAX Web site (see Resources). 

SLAX doesn’t have the speed of DSL, but has the 2.6.15 kernel, 
excellent network support, the parted application (partition editor) and 
more. It's by far a more complete distribution than DSL, but you pay 
for it in size. 


Flash Linux 

The Flash Linux distribution is based on Gentoo Linux. Get the Flash 
Linux ISO image file from the Web site (see Resources), and burn 

it to CD. Then, boot from the CD in order to install the LiveUSB 
version in the pendrive. Download the three parts of the ISO from 
sourceforge.net/project/showfiles.php?group_id=124770. 
Currently, the three parts are flashlinux-0.3.4-RC2.iso-part1, 
flashlinux-0.3.4-RC2.iso-part2 and flashlinux-0.3.4-RC2.iso-part3. 
After you download these files, put them together: 


cat flashlinux-0.3.4-RC2.iso-part1l flashlinux-0.3.4-RC2.iso-part2 \ 
flashlinux-0.3.4-RC2.iso-part3 > flashlinux-0.3.4-RC2.iso. 


Flash Linux has a beautiful Bootsplash and framebuffer theme. It 
also includes the accelerated NVIDIA driver, which is great if you have a 
GeForce video card. 

Hardware detection also was fantastic. Flash configured all my 
devices without a hitch. 

After you boot and log in, install Flash on the pendrive. You will 
need two partitions on the pendrive: a boot partition of +4MB and a 
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second partition of at least 256MB. 
The Flash Linux people suggest you set up the partitions with fdisk. 
Plug in your pendrive and run: 


fdisk /dev/sda 


(Again, change sda to the drive designation your computer uses for the 
pendrive, if it is different from sda.) 

Delete every existing partition. Then, add the 4MB partition for the 
boot partition. Next, create a second partition that uses the rest of the 
free space on the pendrive. Write the changes and quit fdisk. 

Now, download the installation script for USB devices. Download 
the flash_key.sh installer file from the Web site, and put it in the root 
folder of your Flash Linux Live CD. 

If the script doesn’t see your device, you may need to modify the 
script. Replace the line: 


dev='readlink /${i}|cut -d"/" -f11 
in PICKDEVICE with: 
dev='readlink /${i}|cut -d"/" -f12° 
Add execution permissions to the script, and execute it: 


chmod 755 flash_key.sh 
./flash_key.sh 


Now, follow the easy steps given by the wizard. First, select the 
correct device to install Flash Linux, then the 4MB boot partition. After 
that, select the root partition, and install Flash Linux in the pendrive. 
First, the script erases the pendrive, then mounts it, and finally it copies 
the apps and data to the pendrive. This last step took more than eight 
minutes on my machine. Be patient, and after that enjoy Flash Linux. 

The highlights of Flash Linux are good speed, thanks in part to the 
fact that it uses JFFS2 and many applications. Details such as animated 
cursors and cursor shadows as well as good window decorations, 
make your Flash Linux Desktop nice. 

The only downside to Flash Linux is that it takes many steps to get 
the pendrive working. Also, | don’t know why Flash Linux developers 
don’t include an installer as part of the distribution instead of making 
you run a script. 


Final Ideas and Impressions 

For the desktop user, pendrives and LiveUSB are fantastic. If you have a 
pendrive, experiment with it—install DSL, SLAX, Flash Linux, Feather, 
Puppy or other distributions on the hardware. 

Your mileage may vary, but | prefer SLAX. The modular nature of SLAX 
offers a wide range of options and features that a Linux professional 
should appreciate. SLAX has security modules, the ClamAV antivirus app, a 
Qt GUI, firewalls and so on. If you work often with security live CDs, pen- 
drives and LiveUSB are also ideal, because with one device, you solve two 
problems. You can save data, and if you are a developer, have security and 
development modules on the other side of your pendrive.= 


Resources for this article: www.linuxjournal.com/article/8949. 
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The Ultimate 
Linux/Windows 


System 


Use cross-platform applications and shared data for the ultimate Linux/Windows system. 


KEVIN FARNHAM 


| recently converted my Toshiba notebook computer into a dual- 
boot system, running Windows XP Pro and Ubuntu Linux. | was hoping 
I'd be able to use cross-platform applications such as Mozilla Firefox, 
Mozilla Thunderbird, AbiWord, Gnumeric and SciTE transparently, no 
matter which operating system was currently booted. This article 
describes the steps | took to make this possible. 


Dual-Boot Computer Configuration for 

Shared Application Data 

In what follows, | assume you already have a dual-boot computer that 
has a working Linux and Windows operating system installed. You also 
must have an adequately sized additional disk partition for storing 
shared application data. This partition must be readable and writable 
by both operating systems. FAT32 (VFAT) is the logical choice. 

My notebook came with Windows XP Pro installed on a 30GB 
hard drive. The computer was well used, its disk nearly filled, before 
| decided to convert it to a dual-boot system. | offloaded lots of data, 
and used the Windows defragment program to reduce my total 
Windows size below 15GB. Then, | used utilities on the Linux System 
Rescue CD to resize the original Windows partition and make new 
partitions as follows: 


® Partition 1: Windows NTFS primary partition, 18.5GB. 

® Partition 2: Linux ext3 primary partition, 5GB. 

@ Partition 3: Linux swap partition, 1GB. 

® Partition 4: FAT32 partition for shared application data, 5GB. 


Making a dual-boot system with only 30GB of total disk space is 
not ideal. My shared application data partition was 80% full once | 
loaded my archived e-mail, working documents and various ongoing 
cross-platform software development projects. For a more ideal setup, | 
recommend at least 60-80GB of disk space. In that case, I'd allocate 
20GB for Windows, 10GB for Linux, 1-2GB for Linux swap and make 
the remainder the FAT32 shared partition. 


Configuring and Accessing 

the Shared Disk Partition 

Windows views a FAT32 partition as a separate disk drive 
and assigns it a drive letter. The letter assigned depends on 
what storage devices are connected to the system—for 
example, floppy or CD/DVD drives. On my system, Windows 


Listing 1. 


identifies the FAT32 partition as drive E:. Use Windows Filesystem 
Explorer to verify the Windows drive letter for your FAT32 /dev/hda2 
partition. /dev/shm 
When | installed Ubuntu Linux, | selected mounting the /dev/hdal 
FAT32 partition at boot time, using the mountpoint /share. /dev/hdal 
After Linux boots, you can verify that the FAT32 partition is /dev/hda4 


mounted with the UNIX df command (Listing 1). 

Although the /share partition is mounted, there is a problem. By 
default, the the root user owns the /share partition. A standard user 
will not have read or write permission, and will not be able to run 
programs that access the shared data. Fortunately, the UNIX mount 
command provides options for a partition to be mounted with ownership 
set to a user other than root. This is one method for enabling you to 
read and write the shared partition using your normal login. 

If only one person uses the computer, or only one user needs 
access to the shared partition, the best plan is to mount the /share par- 
tition at boot time, but with your login provided with ownership and 
full access rights. To configure this, you need to know your user ID and 
group ID. The /etc/passwd file stores this information. Here's the entry 
for my user name (kevin) in my /etc/passwd file: 


kevin@lyratoshibaubuntu:~$ 
cat /etc/passwd | grep kevin 
kevin:x:1000:1000:kevin,,,:/home/kevin:/bin/bash 


The user ID is the number after the second colon. The group ID is 
the number after the third colon. The example shows that user kevin is 
assigned user ID 1000 and group ID 1000 on my system. 

Now, you must edit the /etc/fstab file. This filesystem table identi- 
fies the filesystems the booting Linux system can expect to see, and 
instructs Linux on what actions to take for each filesystem. You need 
to switch to the root user account to edit the file. 

First, make a backup copy of the current working /etc/fstab file, so 
you can revert to that version if something goes wrong. Next, bring the 
fstab file into an editor, such as vi, emacs, gedit or scite. Find the line 
for the /share file system, and change the data in the <options> 
column to defaults, uid=uuuu, gid=gggg where uuuu and gggg are 
your user ID and group ID from /etc/passwd. 

Your finished /etc/fstab file should look something like Listing 2. 

If multiple user accounts need to access the shared partition, you need 
a different strategy. One option is not to mount the /share partition at 
boot time, but instead make a script that users execute to mount the 
partition giving themselves ownership and full access. 

To disable mounting /share at boot time, edit /etc/fstab and place a 


UNIX df Command Showing Mounted /share Partition 


kevin@lyratoshibaubuntu:~$ df -k 


1K-blocks Used Available Use% Mounted on 
5036316 1748816 3031668 37% tmpfs 
184936 0 184936 0% tmpfs 
184936 12588 172348 7% /1ib/modules/2.6.12-9-386/volatile 
18427896 9955608 8472288 55% /media/hdal 
4713876 417898 4295978 9% /share 
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Listing 2. 


/etc/fstab File with Boot-Time Mounting of the 
Shared Partition, Giving Ownership to a Specific User 


kevin@lyratoshibaubuntu:~$ cat /etc/fstab 
# /etc/fstab: static file system information. 


# 

# <file system> <mount point> <type> <options> 

proc /proc proc defaults 

/dev/hda2 i! ext3 defaults,errors=remount-ro 
/dev/hdal /media/hdal ntfs defaults 

/dev/hda4 /share vfat defaults ,uid=1000,gid=1000 
/dev/hda3 none swap SW 

/dev/hdc /media/cdromd udf,iso9660 user,noauto 


# at the start of the /share filesystem line. This makes the line a com- 
ment. Then, find the user ID and group ID in /etc/passwd for each user 
who requires full access to the /share partition. Finally, place a script file 
similar to the following into the home directory of each user, inserting 
each user’s user ID and group ID after uid= and gid=, respectively: 


kevin@lyratoshibaubuntu:~$ cat mountShare.csh 
sudo mount -t vfat -o uid=1000,gid=1000 /dev/hda4 /share 


After logging in to Linux, the user opens a terminal window and 
executes the command script to mount the FAT32 partition with the 
needed access settings: 
bash ./mountShare.csh 
However the shared partition is mounted, you can verify that 


you have ownership and full access to the /share directory with a 
long listing of path /: 


kevin@lyratoshibaubuntu:~$ ls -1 / | grep share 
drwxr-xr-x 18 kevin kevin 4096 1969-12-31 19:00 share 


Using Your Shared Application Data Space 
At this point, you are ready to use applications that run on both 
Windows and Linux to do work on documents stored in your shared 
application data space. If I’m working under Windows, | store and 
access my documents using drive E:. Again, the drive letter for the 
FAT32 partition may be different on your system. If I’m working under 
Linux, | store and access the same documents in my /share partition. 
Before you start editing documents, make sure you have the same 
version of each application installed on Windows and Linux. Don’t just 
hope there are no configuration or data file structure changes between 
two different releases of an application. 


Mozilla Suite 
| use Mozilla Firefox as my Web browser and Mozilla Thunderbird as my 
e-mail client. Before | converted my notebook into a dual-boot system, | 
had run Firefox for a long time, and it had many bookmarks. | also had 
multiple years of saved e-mail messages. Naturally, with my new dual- 
boot system, | wanted to run Firefox using all of my previously saved 
bookmarks, and | wanted to be able to use Thunderbird transparently in 
Windows and Linux, having full access to all my archived e-mail. 

Is this possible? Thanks to the configuration strategy employed by 
the Mozilla Suite developers, the answer is “yes”! Both Firefox and 
Thunderbird organize their configurations via profiles. Each profile is 
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stored in its own subdirectory, which by default is 
located beneath the top-level configuration directory 
for the application. The name and location of each 
profile is stored in an index file named profiles.ini. This 
structure gives us the flexibility to store the configura- 
tion data for any profile in any disk location accessible 
to the user—for example, on our FAT32 shared appli- 
cation data partition. 
<pass> Before you make any configuration changes, make 

IC) sure Firefox and Thunderbird are not running. Then, 
create a directory on the shared partition where your 
Mozilla application configuration data will be stored 
for access by both Windows and Linux. | chose to 
make a users directory with a subdirectory named 
kevin, my user name under both operating systems. 
This is convenient if | decide later to have multiple 
users on the system. In that case, I'll make a separate 
path for each user’s unique configuration data, so that the logged in 
user accesses and maintains his or her own configuration. 

Under Windows, the path to my application configuration directory 

is E:\users\kevin. Under Linux, the path is /share/users/kevin. 


eoo or 


Mozilla Firefox Shared Configuration 

For reference, | performed my Firefox shared configuration using 
Firefox version 1.5. However, the procedures also should work with 
1.0.x versions of Firefox. 

My Windows Firefox installation contained all my personal bookmarks 
and other configuration settings, so | reconfigured that Firefox first. In 
Windows, find the Application Data directory for your user name beneath 
the Documents and Settings directory. You should see a directory named 
Firefox that has a subdirectory named Profiles. The Profiles directory will 
have at least one subfolder. Here's how it looks on my system: 

The profiles.ini file tells Firefox where to find its configuration data. 
Open profiles.ini in an editor, and you should see something like this: 


[General] 
StartWithLastProfile=0 


[Profiled] 

Name=default 

IsRelative=1 
Path=Profiles/z9qffpsf.default 
Default=1 


This profiles.ini file identifies my configuration as having a single profile, 
with the configuration data located in the folder Profiles/z9qffpsf.default, 
relative to the directory where profiles.ini is located. Looking at the folder 
tree in Figure 1, you can see the Profiles/z9qffpsf.default folder, with various 
subfolders. This is the location of all of my unique Firefox configuration 
information. This is the data | want to be able to access (read and write), 
whether | am booted in Windows or Linux. In your own Firefox installation, 
the *.default folder will have a different name. You need to substitute 
the name of your own profile directory as you perform the steps 
described below. 

To make my configuration data available to both operating systems, 
| made a Firefox\Profiles directory beneath my shared E:\users\kevin 
directory, then copied the original Firefox Profiles\z9qffpsf.default con- 
figuration directory to that path. Figure 2 shows the result. 

| renamed the original z9qffpsf.default directory on my C: drive to 
maintain a backup copy in case of unanticipated disaster. 

Next, | edited profiles.ini to point to the new location of the Firefox 
configuration profile. | set the IsRelative flag to zero and the Path loca- 
tion to the shared partition location where | copied the configuration 
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Figure 1. Windows Firefox Application Data Folder Location and Structure 


folder. When setting the path, make sure you use Windows-style back- 
slashes. Otherwise, Windows Firefox won't recognize the new location. 
Here's my edited profiles.ini file: 


[General] 
StartWithLastProfile=0 


[Profile1] 

Name=default 

IsRelative=0 

Path=E:\users\kevin\Firefox\Profiles\ z9qffpsf.default 


| saved a copy of this file as profiles_new.ini, so | could return to it 
in case something went wrong on my first try. 
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Figure 2. Moved Firefox Configuration Directory 


When you've got all of this completed, launch Firefox. If a window 
pops up asking if you want to import settings from another browser, 
something is incorrect in your setup. In this case, Firefox will have over- 
written the profiles.ini file and created a new default configuration 
directory. Check your backup copy of your new profiles.ini file and the 
directory names on the shared partition, make any necessary correc- 
tions, re-save your corrected profiles.ini file, and try launching Firefox 
again. When you have all the configuration elements correct, Firefox 
launches as it always did, with all of your bookmarks available. 

Now, Linux Firefox must be configured to use the same profile. 
Boot in to Linux and mount the shared partition using one of the 
described methods. In Linux, Firefox stores the configuration files 
beneath a user's home in directory .mozilla. Go into this directory, then 
into the firefox subdirectory, and execute 1s -1. You'll see a profiles. ini 
file, the pluginreg.dat file and a configuration profile subdirectory. 

To make the Linux Firefox use the configuration profile that was 
placed onto the shared partition, edit the profiles.ini file. Set the 
IsRelative flag to zero, and set the Path to the correct /share location. 
Here's my modified Linux profiles.ini file: 


[General] 
StartWithLastProfile=1 


[Profilee] 

Name=default 

IsRelative=0 

Path=/share/users/kevin/Firefox/Profiles/ z9qffpsf.default 
Default=1 


Start Firefox. If all is correct, you'll see your standard Firefox session 
with all the bookmarks you originally stored using Windows Firefox 
available. If this doesn’t happen, check the profiles.ini file again, make 
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certain the /share partition is mounted correctly, with proper ownership 
and permissions, and verify the exact path to the shared Firefox config- 
uration directory. Replace profiles.ini with your corrected version, and 
launch Firefox again. 


Mozilla Thunderbird Shared Configuration 

The configuration organization for Thunderbird is similar to that for 
Firefox. For reference, | made my shared configuration using 
Thunderbird version 1.0.7. 

In Windows, find the Thunderbird directory beneath Application 
Data in the Documents and Settings directory tree for your user name. 
You might think the Thunderbird directory would be beneath Mozilla, 
parallel to the Firefox directory, but this wasn't the case on my system. 
In the Thunderbird directory, you'll see the familiar profiles.ini file and a 
Profiles folder, as with Firefox. 

To make all of your stored e-mail accessible from both your 
Windows and Linux installations, the configuration folder must 
be moved to the shared partition. | made a directory \users\kevin\ 
Thunderbird on my shared partition and copied the Profiles directory 
from the default Windows location into the new shared directory. In 
my case, the view from Windows Explorer looks like Figure 3. 

| renamed my original configuration directory to have a backup and 
also to be certain that it would no longer be accessed by my opera- 
tional Windows Thunderbird. 

Next, | changed the profiles.ini file to point to the new Thunderbird 
application data location. My initial profiles.ini looked like this: 
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Figure 3. Moved Windows Thunderbird Configuration Directory 
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[General] 
StartWithLastProfile=1 


[Profiled] 

Name=default 

IsRelative=1 
Path=Profiles/19ximc3t.default 


| changed IsRelative to zero and set Path to the new Thunderbird 
location on the shared partition, switching the path directory separa- 
tors to standard Windows backslashes. Here’s my modified file: 


[General] 
StartWithLastProfile=1 


[Profiled] 

Name=default 

IsRelative=0 

Path=e:\users\kevin\Thunderbird\Profiles\ 19ximc3t.default 


When you've done all of this, start Thunderbird. If everything has 
been modified correctly, Thunderbird starts normally. If the configura- 
tion is not correct, Thunderbird will ask about creating a new profile. In 
this case, cancel and exit the program, check your new profile.ini file 
and the location of the Thunderbird files on the shared partition. 
Correct any problems, then run Thunderbird again. 

On Linux, you'll find the Thunderbird profiles.ini file in the directory 
-mozilla-thunderbird, beneath your home directory. Edit profiles.ini to 
identify the configuration you set up from Windows on the shared par- 
tition as the profile Thunderbird should use. Again, set IsRelative to 
zero and Path to the shared location. Here’s my modified Linux 
Thunderbird profiles.ini file: 


[General] 
StartWithLastProfile=1 


[Profiled] 

Name=default 

IsRelative=0 

Path=/share/users/kevin/Thunderbird/Profiles/ 19ximc3t.default 
Default=1 


Launch Thunderbird, and you should have full access to all your 
e-mail accounts and all the e-mail messages that were saved originally 
by Thunderbird running on Windows. If Thunderbird asks about creat- 
ing a new profile, exit and check your work. 


Conclusion 

Having a dual-boot Linux and Windows notebook is convenient. The 
convenience is extended by sharing application data between both 
operating systems. Being able to run Mozilla Firefox and Thunderbird 
transparently from both Linux and Windows further enhances a dual- 
boot system's versatility. 

Although a large number of steps are required to create the shared 
configuration, the individual steps are not difficult for someone familiar 
with locating, copying and editing files and directory structures in both 
the Windows and Linux operating systems.m™ 


Resources for this article: www.linuxjournal.com/article/8954. 


Kevin Farnham works primarily on software engineering projects involving document indexing, 
mathematical modeling and simulation, and scientific data acquisition, analysis and presentation. 
His company, Lyra Technical Systems, Inc., is located in rural Northeastern Connecticut. 


Converting Video 
Formats with FFmpeg 


FFmpeg allows Linux users to convert video files easily between a variety of different formats. 


SURAMYA TOMAR 


Today's affordable digital video cameras have placed the power of 
digital recording within most people's reach. Unfortunately, this has 
been accompanied with a corresponding increase in the variety of file 
formats and codecs available. Some of these formats are more efficient 
than others, and some are less encumbered by proprietary licensing 
restrictions. So, having the ability to convert from one format to 
another is a great help, as you can decide what format you are 
comfortable with and use that one instead of being restricted to a 
specific file format. 

FFmpeg is a simple and straightforward application that allows 
Linux users to convert video files easily between a variety of different 
formats. In this article, | walk you through installing FFmpeg and pro- 
vide a few instructive examples to demonstrate the range of applica- 
tions for which it can be used. 


FFmpeg Installation 

FFmpeg is an open-source audio and video converter that supports 
most industry-standard codecs and can convert from one file format to 
another quickly and easily. It also lets you capture video and audio 
from a live source and process it. 

The source code for FFmpeg is available for download from the 
project Web site (ffmpeg.sourceforge.net/index.php) and at the 
time of this writing, the latest version available at the site is 0.4.9-pre1. 

Once you download the file, extract it using the following 
command: 


tar -zxf ffmpeg-0.4.9-prel.tar.gz 


This creates a new directory containing the source code for 
FFmpeg. To install it with the default configuration options, run 
./configure from within the FFmpeg source directory. Once the 
configuration script finishes, compile it by issuing make. Once the 
compile finishes without any errors, you can install FFmpeg by running 
make install as root. 

On the other hand, if you like to have control over what is installed 
and prefer customizing software installs, you can pass some command- 
line parameters to the configure script. To see all the options available 
for the installer, run the following command: 


./configure —help 


This command gives you multiple screens of the various settings 
that can be modified, and you can choose any options you like. The 
on-screen display does a decent job of explaining what each option 
does, so | will not go into a lot of detail on this. 

| suggest that you enable the following options, but this is not a 
requirement—feel free to experiment: 


® --enable-mp3lame: highly recommended—you won't be able to 
encode MP3s without this. Needs lame to be installed already. 


™ --enable-a52: enables GPLed A52 support, needed for decoding 
some VOB files. 


™@ --enable-gpl: required for the previous component; otherwise, 
not needed. 


As | didn't have lame installed on my system, | ran the following 
command to configure FFmpeg: 


./configure --enable-a52 --enable-gpl 


Once the configuration is complete, read through the output to 
make sure no errors were generated. Then, run make, and go have a 
drink or something as this might take a little while. Once the system 
finishes compiling FFmpeg, run make install as root to install 
FFmpeg, and you are done with the installation. 


Basic Usage 

Now that you have successfully installed FFmpeg, you can start experi- 
menting with it. The first thing you have to do is choose a video file 
with which to experiment. As this is your first time with FFmpeg, mak- 
ing a backup copy of this file is highly recommended. You don’t want 
to be responsible for ruining the only copy of a rare video. 

This input file most probably has been encoded using a particular 
codec, but because FFmpeg supports most of the popular formats, we 
don’t need to worry a lot about that. Formats supported by FFmpeg 
include MPEG, MPEG-4 (Divx), ASF, AVI, Real Audio/Video and 
QuickTime. To see a list of all the codecs/formats supported by 
FFmpeg, run the following command: 


ffmpeg --formats 


A detailed list of supported file formats is also available at the 
FFmpeg site. 

FFmpeg supports a large list of command-line parameters that 
controls various settings in FFmpeg. To get a listing of the various 
options available, run the following command: 


ffmpeg --help 

Don't let the multipage listing scare you from using FFmpeg, the 
basic usage is actually very simple. To convert a file with the default 
settings, run the following command: 
ffmpeg -i InputFile OutputFile 

The -i option tells FFmpeg that the filename immediately after it is 
the name of the file to be used as input. If this option is omitted, 


FFmpeg attempts to overwrite that file when it tries to create the output 
file. FFmpeg uses the extension of the output file to try to determine 
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the format and codec to use, though this can be overridden using 
command-line parameters (more on this later). 

The default settings create an output file that has radio-quality sound 
(64kbps bitrate) and very bad video quality (200kbps bitrate). Fortunately, 
these settings can be changed for each encoding, which allows you to 
choose the quality of each file depending on the need. 

To change the audio bitrate, add -ab bitrate to the command 
used earlier, where bitrate is the bitrate you want to use. See 
www.mp3-tech.org/tests/gb for information on the sound quality the 
various bitrates represent. | prefer to encode files with a bitrate between 
128-192kbps depending on my needs, but you can put in a higher value if 
you so desire. Keep in mind, however, that the higher the bitrate you use, 
the larger the output file size will be. Also keep in mind that if your source 
file is encoded in a low bitrate, increasing the bitrate won't accomplish 
much other than increasing the output file size. 

Now, getting a CD-quality audio track for the video doesn’t really make 
sense if the video looks like it was taken using a five-year-old Webcam 
having a bad day. Thankfully, this problem also is easily solved by adding 
another parameter to the command line. 

To change the video bitrate, add the -b bitrate option to the com- 
mand line. The bitrate here can be any numeric value you like, and | have 
seen bitrates all the way up to 23,000 (DVD Rips). Although the quality of 
video encoded with a 23,000kbps bitrate is amazing, the resulting file size 
of that encoding is also very amazing (a 90-minute video is about 4GB). In 
my experience, most videos look pretty decent at bitrates between 
1,000-1,400, but this is a personal preference, so play with the numbers 
until you figure out what works for you. 

So, to encode a video with a 128kbps audio bitrate and 1,200kbps 
video stream, we would issue the following command: 


ffmpeg -i InputFile.avi -ab 128 -b 1200 OutputFile.mpg 


If you are creating a video CD or DVD, FFmpeg makes it even easier 
by letting you specify a target type. Then, it uses the target type to 
calculate the format options required automatically. To set a target type, 
add -target type; type can be vcd, svcd, dvd, dv, pal-vcd or ntsc-svcd 
on the command line. So, if we were creating a VCD, we would run the 
following command: 


ffmpeg -i InputFile.mpg -target vcd vcd_file.mpg 


FFmpeg also has support for encoding audio files. The command to 
convert audio files is the same as the command to encode video files. To 
convert a WAV file to a 128kbps MP3 file, issue the following command: 


ffmpeg -i Input.wav -ab 128 Output.mp3 


Now, the biggest selling point of FFmpeg is that you can customize it 
to a level that you are comfortable with. So, if all you want to do is con- 
vert from one codec to another, and you don’t really care about the 
advanced features, you can stop reading here and still be able to 
encode/decode videos. On the other hand, if you like to have more control 
over the encoding, keep reading as we cover more of the advanced 
options available in FFmpeg. 

There are far too many options available in FFmpeg for me to go over 
each of them here, so | cover some of the ones | found most interesting 
and leave the rest for you to explore. 


Forcing the Use of a Particular Video Codec 

There are a times when you will want to encode a video using a particular 
codec and file format. FFmpeg lets you choose the codec with which you 
want to encode by adding -vcodec codec to the command line, where 
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codec is the name of the codec you want to use. So if we want to encode 
using the MPEG-4 codec at 1,200kbps video bitrate and 128kbps audio 
bitrate, the command looks like this: 


ffmpeg -i InputFile.mpg -ab 128 -b 1200 -vcodec mpeg4 OutputFile.avi 


Remove the Audio Stream 
Let's say you have recorded a video that has a lot of background noise and 
undesired commentary, so you decide to remove the audio component of 
he video completely. To accomplish this, all you have to do is add the -an 
option to the command line, and FFmpeg automatically removes all audio 
rom the output. Keep in mind that using this option negates any other 
option that affects the audio stream. 

So, in our example, to remove the audio component, we would run the 
ollowing command: 


fmpeg -i InputFile.mpg -an -b 1200 OutputFile.avi 


Remove the Video Stream 
Let's say you downloaded a news video from the Net that you want to lis- 
ten to on your iPod on the way to work, but in order to do that, you have 
to remove the video component from the output file. FFmpeg allows you 
to remove the video component of the file completely by adding the -vn 
option to the command line. Using this option negates any other option 
that affects the video stream. 

So, in our example, to remove the video component and save the 
audio as a 256kbps MP3 file, we would run the following command: 


ffmpeg -i InputFile.mpg -vn -ab 256 OutputFile.mp3 


Choose among Multiple Audio Streams 

to Encode the Output File 

Many DVDs have multiple language tracks available, and you can 
choose in which language you want to watch the video. Having multi- 
ple audio tracks is cool if you speak multiple languages and want to 
be able to watch videos in multiple languages. However, if you don’t 
speak multiple languages, the extra audio tracks are useless and are 
taking up disk space. 

FFmpeg lets you choose which streams you want to keep and ignore 
the rest. The command-line parameter that allows you to map streams is 
called -map. So, if in our test file, stream O is the video stream, stream 1 
is the Spanish audio stream and stream 2 is the English audio stream, 
and we want to keep the English audio in the output file, we would 
issue the following command: 


ffmpeg -i InputFile.mpg -map 0:0 -map 2:1 -b 1200 OutputFile.avi 


In my experience, stream O in most video files is usually the video 
stream, and the remaining streams are the audio streams available 
with the video. 


Conclusion 

FFmpeg provides a wide range of options for manipulating and converting 
video files among a variety of formats. For more information, or to 
download the latest version of FFmpeg for yourself, please refer to the 
project Web site.m 


Suramya Tomar is a Linux system administrator who also likes to program. Visit www.suramya.com for more 
information on his background. 
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SUSE Rocks, Fedora Locks 


Welcome to the 20th century of usability, Fedora Core 5. Too bad this is the 21st. 


Nick Petreley, Editor in Chief 


| hope you'll forgive me if | can’t make good 
on the name of this column 100% of the 
time this month, because | will be including a 
few raves in this rant. I'll start with SUSE 
10.0. | have been working on a SUSE 10.0 
review for what seems like forever. The way 
things have been going, SUSE 11.0 probably 
will ship by the time I’m done. 

If you read my rant from last month, 
you'll know I've upgraded to a dual-core 
AMD64 machine. | had to reinstall SUSE 10.0 
on this new machine to continue my work on 
the review. | was tempted to call Novell and 
ask for the AMD64 version of SUSE 10.0, but 
went ahead and installed SUSE from the 
DVD that came in the box they sent. Much to 
my surprise and delight, it installed an 
AMD64 version of SUSE. It was only after it 
installed the 64-bit version that | examined 
the box carefully. Sure enough, in fine print 
at least it’s fine print to my 53-year-old eyes), 
it says that the box includes multiple versions 
of SUSE, including the AMD64 version. 

It gets better. SUSE includes Sun Java 1.5, 
and SUSE's included i686 version of Firefox 
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can actually use it without any special work 
on my part. | had to kludge a 32-bit version 
of Firefox on 64-bit Kubuntu myself in 
order to get Java working as a plugin. 

| don’t want to spend much more time 
waxing rhapsodic over SUSE, lest | include 
too much rave in this rant. But although 
there are a few things | don’t like about SUSE 
10.0, | would have no trouble recommending 
it to virtually anyone. | confess, | have never 
liked SUSE in the past. This version has 
changed my opinion entirely. 

As of a few days before this writing, 
the final version of Fedora Core 5 became 
available. | downloaded and installed the 
AMD64 version. It won't boot. Why? 
Because Fedora Core configures the GRUB 
bootloader to boot the partition labeled /. 
As it happens, | have about three parti- 
tions with that same label. | boot the 
Kanotix live CD, edit the GRUB configura- 
tion and /etc/fstab to point to the actual 
partition, and now Fedora boots. 

What is it with the Fedora people that 
they feel compelled to use disk labels instead 
of partition device names? | realize that this 
won't be a problem for the average user who 
uses only Fedora and no other distribution of 
Linux. But then again, the average user isn’t 
likely to move Fedora to another partition or 
change the order of drives either, so the 
advantages of using disk labels will be lost on 
them. If the Fedora folks are bent on using 
disk labels, they could at least label the root 
partition something unique and identifying, 
like FC564ROOT for the AMD64 version and 
FC532ROOT for the i386 version. 

I'll save you the rant on how disappointed 
| was with the 64-bit version as a desktop 
and tell you | decided to go with Fedora Core 
5 i386 instead. 

This time | edit the GRUB and /etc/fstab 
files after the installation finishes so it will 
boot the first time. As has been the case for 
years of using Red Hat distributions, it gets 
hung up on starting Sendmail about half the 


time. Surely | can’t be the only person who 
has experienced this? Why does this problem 
still exist? Why does Fedora even install 
Sendmail? There have been superior alterna- 
tives for years. 

Kudos to Fedora for finally including a 
software package manager that lets you 
install packages other than the ones they 
want you to use. It would be nicer if it were 
even remotely intuitive, but then the Fedora 
folks are GNOME-lovers, so making it intu- 
itive would violate the GNOME specification. 
It would be even nicer if the software 
updater didn’t run so slow that | always 
assume it is simply frozen and kill it. | 
always fall back to yum update, but even 
the command-line version of Yum doesn’t 
run, it crawls. Slowly. 

The good news about Fedora Core 5 is that 
it not only includes SELinux (NSA Security 
Enhanced Linux), but it is preconfigured and 
enabled by default. It also makes it easy to 
configure SELinux policies. | love this. If SELinux 
is important to you, Fedora may be your bag. 

But here’s my big beef aside from the 
bonehead disk label problem and other nui- 
sances. Why are the Fedora folks so anal 
about licenses? There's no Sun Java in 
Fedora. There's no Flash plugin. | can almost 
excuse the maintainers for leaving these 
things out, but Fedora makes no effort at all 
to make it a no-brainer to add them. How 
many of you out there really don’t want your 
browser to be able to support Java or Flash? 
Aren’t you going to add these things 
anyway? So why not make it easy? 
Ubuntu/Kubuntu makes it easy, and these 
distros are based on Debian, the most 
license-anal distro on the planet. 

Bottom line—if you're already a Fedora 
fan, you'll want Core 5. If you use anything 
else, now's not the time to switch.m= 


Nicholas Petreley is Editor in Chief of Linux Journal and a former 
programmer, teacher, analyst and consultant who has been 
working with and writing about Linux for more than ten years. 


Rackspace — Managed Hosting Backed by Fanatical Support™ 


Fast servers, secure data centers and maximum bandwidth are all 
well and good. In fact, we invest a lot of money in them every year. 
But we believe hosting enterprise class web sites and web 
applications takes more than technology. It takes Fanatical Support. 


Fanatical Support isn’t a clever slogan, but the day to day reality our 
customers experience working with us. It’s how we have reimagined 
customer service to bring unprecedented responsiveness and value 
to everything we do for our customers. It starts the first time you 
talk with us. And it never ends. 


Contact us to see how Fanatical Support works for you. 


1.888.571.8976 or visit www.rackspace.com 


Thanks for honoring us with the 


‘| 2005 Linux Journal Readers' Choice Award for 


“Favorite Web-Hosting Service” 


rackspace 
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monolithic switches. They aggregate data modulo aa aa 1s | 
24 instead of 12, improving nearest neighbor latency in fine grain problems 
and doubling the size of the largest three hop fat tree that can be built, from 288 to 576 72 Port FasTree™ Configuration 


ports. Larger fabrics can be created linking 576 port domains together. 


Working with PathScale's InfiniPath HTX Adapters, the number of hops required to move MPI messages between nodes is 
reduced, improving latency. The modular design makes them useful for SDR, DDR and future QDR InfiniBand fabrics, greatly 
extending their useful life. Please send email to fastree@microway.com to request our white paper entitled Low Latency Modular 


Switches for InfiniBand. 


Microway's QuadPuter® includes four AMD single or dual core Opteron™ processors, 1350 Watt redundant power supply, and 
up to 5 redundant, hot swap hard drives-all in 4U. Dual core enables users to increase computing capacity without increasing 
power requirements, thereby providing the best performance per watt. Constructed with stainless steel, QuadPuter’s 
RuggedRack™ architecture is designed to keep the processors and memory running cool and efficiently. Hard drives are cooled 
with external air and are front-mounted along with the power supply for easy access and removal. The RuggedRack”™ is also 
available with an 8-way motherboard and up to 128 GB of memory for power- and 
memory-hungry SMP applications. 


<¢ QuadPuter® Navion™ with hot swap, redundant power and hard drives 
and dual core Opterons, offering the perfect balance between 
performance and density 
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